Cyber threats no longer belong to just the IT department. Cyber security is an important business issue for leaders across functions, departments, and levels. Do you and your team understand where your role and responsibilities lie on managing online risks?
BIG IDEA
All leaders need to be more aware of cyber security threats.
When I read Mark Sangster’s book, I immediately knew I needed to interview him for my Lead the Future podcast. Sangster has been working in cyber security for 25 years and is now the Vice President and Industry Security Strategist at eSentire. His book on cyber rsecurity, NO SAFE HARBOR: The Inside Truth About Cybercrime and How to Protect Your Business, is an alarming and eye-opening must-read for leaders at all levels.
Sangster told me that cyber security has long been seen as “an IT problem to solve” but, nowadays, it should be a priority for leaders at all levels. He indicated that cyber security is of critical importance because it’s a significant operational risk to businesses. Breaches can lead to “reputational damage which may take years and years to effectively dig yourself out of,” he explained.
WHY IT MATTERS
The pandemic has introduced new cyber threats.
According to Sangster, the risks have only grown during the pandemic. “Criminals love to jump on chaos and confusion,” he said. The chaos of the pandemic has created new opportunities for bad actors to spread misinformation or steal information by posing as legitimate authorities, Sangster explained. Many people may be familiar with common types of phishing scams, but when those scams take new forms and attempt to exploit very real anxieties, they may become newly vulnerable.
Sangster also noted that the shift to remote work opens up more cyber security vulnerabilities for businesses. Remote work leads to “the dilution of security technology, moving from the enterprise where it’s secured by experts down into the consumer-grade technology at home,” he explained.
Of course, with many companies adopting newly flexible remote-work policies post-pandemic, that threat isn’t going away any time soon. That’s not to say that remote work isn’t a viable option, but leaders need to be aware of the risks and help their teams stay up to date on how to keep the virtual workspace secure.
THE IMPACT
Small and mid-sized companies take the brunt of cyber-attacks today.
“Most companies don’t realize they’re a target,” Sangster told us. “The headlines focus on the big household brands that we know, like travel companies and hotels and banks and so on. And the reality is that’s the tip of the iceberg, and what’s below the surface is all of those smaller mid-sized manufacturers, healthcare facilities, law firms, and so on. They’re the ones that actually take the brunt of cyber-attacks.”
The cost of responding to a cyber-attack can be enormous. The average cost of a malware attack, for example, is $2.4 million. And that doesn’t take into account the damage done to a company’s reputation.
WHAT TO PAY ATTENTION TO
How are you talking to your team about cyber security? Awareness training is an important tool to manage this risk.
“Leadership flows from the top,” Sangster said, “cyber security practices flow from the top.” As leaders, we all need to be conscious of the major sources of cyber security risk and work with our teams to ensure they understand their role in mitigating those risks.
In our conversation, Sangster identified two major types of cyber threats that leaders should be aware of.
- The first is fake invoicing, where criminals send some type of fake bill or an email that looks like an internal request for funds. “Those things cost us billions,” Sangster said. But the good news is, the fix is relatively simple. “Eighty percent of the time those fake invoices are paid. It’s not a cyber security issue- it’s a financial controls issue,” Sangster said. Make sure your team knows to always double-check and verify requests for funds before dispersing money.
- The other major type of cyber threat today is ransomware, Sangster said. The key in preventing these kinds of attacks is to “slow down to go fast,” he said. Make sure your team does their due diligence before adopting any new software, for example, and train everyone on how to recognize and thwart phishing attempts.
“Invest in your people,” Sangster said, so they don’t see risk prevention as a series of hoops to jump through, but a key responsibility that helps the business avoid a potentially catastrophic attack. A best practice and way to do this is organizing cyber security awareness training. Helping employees know that cyber securing is important and relevant for everyone, and educating around types of cyber threats out there, will help them be better prepared to flag suspicious activity and know how to react.
Do you and your team know that cyber security is an important essential part of their role?
