Blog & Tools

Good cybersecurity must start at the top - and stay there

Layered Cybersecurity - Starts at the top

Implementing good cybersecurity is no longer a responsibility that company executives or board members can assign to the IT staff or an outside provider, and then ignore. For most organizations, there’s too much at stake.

Too much valuable information is created, moved and stored online. No matter how good a company’s products and services might be, data breaches and electronic sabotage can destroy an organization’s business.

Inadequate attention to cybersecurity can damage a company’s brand and ruin its relationship with customers. An employee at any level can make one careless, inadvertent mistake and expose an organization to serious vulnerabilities. That’s why businesses should make implementing and maintaining good cybersecurity a priority.

Good cybersecurity starts with a commitment from the highest level of company management and permeates the entire organization on an ongoing basis.

“The reality with cybersecurity is the job is never done. Companies need to continually review their policies and make sure they’re up to date with what’s being done across the organization and remain robust enough to stay ahead of the bad guys,” says Carrie Johnson, manager of government and external relations for Sioux Falls-based SDN Communications.

However, just having a good, up-to-date, cybersecurity strategy in place isn’t enough. Companies need to update and enforce policies and procedures continually.

“That’s why having leadership buy into the support and prioritization of cybersecurity is so critically important,” Johnson says. “We’re no longer in an age where responsibility for cybersecurity can be limited to IT. It’s a job that extends across the organization.”

Employees throughout any organization should understand that protecting the company is part of everyone’s job.

Organizations should incorporate cybersecurity dangers into an overall risk-management plan, and blend protective policies into business operations at every level. Set priorities based on risk factors and allocate resources accordingly.

Where to start

Regardless of whether an organization is developing, strengthening or updating its cybersecurity strategy and procedures, the NIST Cyber Framework is a good place to start.

The federal framework is series of guidelines developed with input from the private sector under the leadership of the National Institute of Standards and Technology, or NIST for short.

SDN is among the companies that have worked through the Cyber Framework. SDN’s efforts have the strong support of CEO Mark Shlanta.

“The framework is voluntary, flexible and scalable,” Shlanta says. “It directs organizations to focus on risk management and challenges them to think critically about their unique operations, cybersecurity threats and vulnerabilities.”

Cassie Baldwin, contact center manager at SDN, leads the company’s business continuity planning and was part of the SDN team that worked through the NIST framework.

She admits the guidelines might seem overwhelming, at first.

“But as you go through it, you realize you have many of the points already in place. Then it becomes a matter of reviewing points you may not have previously addressed,” she says.

For SDN, working through the framework reinforced the importance and continuous need for good planning and training to avoid ever-changing cyber risks.

The vast majority of data breaches among businesses – approximately 95 percent, according to some assessments – can be traced to human error rather than mechanical failures. Getting someone to innocently click on a contaminated link in an email or on a website, for example, can offset advanced protections provided by hardware or software.

So, keeping employees aware of risks and trained to avoid them is extremely important, Baldwin says.

This post is part of a series about the importance of layered security. Our next installment will focus on the value of training and testing employees, as well as offer some suggestions on what to include.

You don't have to wait for the next in the series. Read it now:

Good training is critical to keeping business networks safe