john-hock-web-2019
By John Hock, CPA, CISA, CITP, SOC – Manager, IT Advisory and Security Group

As the frequency and sophistication of cyberattacks increase by the year, a company’s best defense against this prevalent threat is teamwork. Rather than limiting security precautions to a designated team of specialized information technology (IT) personnel, the organization should call on each employee – regardless of function – to actively participate in the defense against cybercrime.

The Roles We Each Play

An effective cybersecurity program may only be achieved when each employee takes proper action to protect against cybercrime. The role and actions each employee takes to help will be dependent on their function and set of responsibilities within an organization. Explore the different functions of a business and the common role they can play in creating a cyber-secure culture.

Leadership, Planning and Governance

Those who control the strategic direction of the organization are responsible for understanding and mitigating the overall cyber-related risks to the organization. Setting the tone from the top for a cyber-secure culture will be important to be successful.

What they should do:

  • Understand cybersecurity best practices well enough to make good cyber-related decisions for the company.
  • Consider cyber risks in the enterprise risk management process.
  • Develop and maintain organizational information security policies and standards.
  • Promote the creation of cross-functional teams to accomplish cybersecurity goals.
  • Support and fund requests for the right cybersecurity resources.

Sales, Marketing and Communications

Because these teams are engaging with clients, prospects and vendors outside of the organization, they need to focus on preventing information loss during these interactions, in addition to protecting the organization’s brand and reputation.

What they should do:

  • Understand the importance of cybersecurity and communicate it to all stakeholders.
  • Create a communications plan to be put in place during a cyber incident.
  • Limit access and protect your customer relationship management platform with multi-level security protocols.
  • Protect customer information in quotes, purchase orders, invoices, payments and presentations.

Facilities, Physical Systems and Operations

Employees who design and deliver the organization’s products and services have an obligation to protect the uniqueness of these products and services, as well as securing their physical systems from both physical and cyber hazards.

What they should do:

  • Identify cyber risks for physical systems, including control systems.
  • Confirm appropriate physical security controls are implemented at all facilities.
  • Incorporate cybersecurity into the safety program.
  • Protect intellectual property.
  • Think about security risks within the supply chain.

Finance and Administration

The finance and administration team handles a lot of sensitive information, from payroll to banking, and they must ensure that this information stays secure in compliance with corporate policy, while helping the organization maintain its financial health.

What they should do:

  • Provide sufficient funding for the organization to carry out a successful cybersecurity strategy.
  • Work with other business functions to create a plan for emergency spending.
  • Work with legal, compliance and information technology to ensure contracts with third parties include clauses for oversight of supplier cybersecurity, notification of incidents, and adherence to industry and government policies and regulations.
  • Determine an appropriate balance of resource allocation between run-the-business, improve-the-business and secure-the-business investments.

Human Resources

Those who hire and support an organization’s employees can contribute to a cyber-secure culture by executing best practices in employee training, performance management and record keeping.

What they should do:

  • Ensure cybersecurity knowledge is incorporated into employee training and development programs.
  • Perform background checks on new hires to mitigate risk.
  • Require training and awareness programs for all employees.
  • Be vigilant when selecting vendors to ensure they can keep employee information confidential.
  • Make sure the accounts of terminated employees are closed promptly.

Legal and Compliance

Employees who take on legal and compliance matters ensure the organization is meeting all cybersecurity laws and regulations to mitigate liabilities. When incidents do arise, they address the legal implications.

What they should do:

  • Understand the legal implications of cybersecurity to allow effective risk mitigation.
  • Create a compliance program for the organization.
  • Determine measures to lessen risks introduced by partners and third-party suppliers.
  • Support the incident responders during a suspected breach, and take the appropriate steps to preserve legal privilege, if possible.
  • When necessary, conduct law enforcement engagement, vendor notifications and public notifications after an incident.
  • Lead efforts to implement privacy guidelines consistent with relevant laws and regulations.

Information Technology

At the heart of any cyber-secure organization is a good IT team. Tasked with helping develop and maintain company technology and security, the team must have the relevant expertise to contribute in implementing a multi-layered approach to the information security.

What they should do:

  • Assist in implementing a robust cybersecurity program with effective technical and process controls.
  • Integrate security into all IT operations.
  • Establish and help to enforce security policies for all employees and external parties.
  • Determine cloud security policies for the company.
  • Maintain technical competence in knowledge, skills and abilities essential to cybersecurity.

A Combined Effort

Although each employee plays a unique role in keeping an organization protected from cybercrime, there are a few simple steps every employee can take to contribute to a cyber-secure environment.

Familiarize yourself with technology policies and procedures. Be sure to read and understand the organization’s policies and procedures as it relates to technology and cybersecurity.

Keep your operating system updated. Enable automatic updates to ensure operating systems and applications are always at their most current, secure version.

Protect files and sensitive information protected. Share only necessary information, use strong passwords and secure files when your transferring them to others.

Be vigilant. Stay watchful and be vigilant for potential security risks and speak up if you notice anything unusual.

Work securely when remote. Optimize your security when out of the office by taking measures like maximizing encryption levels on your wireless router, increasing security settings on your browser and using a Virtual Private Network (VPN) to access corporate networks. Do not use public Wi-Fi without a VPN.

Are Your Employee’s Doing the Right Things?

Today, employees are the greatest vulnerability to any organization’s cybersecurity program. Do you know if each of your employees is doing their part to protect the organization? Consider engaging a team of cybersecurity advisors, like those at Doeren Mayhew, to help you answer that question. Through Doeren Mayhew’s suite of CYBERCLAW™  solutions, our advisors can perform a variety of phishing exercises to determine your organization’s weakest links, along with many other assessments to help you identify risks to your systems and data. Contact our cybersecurity advisors today.