Cybersecurity pros, resolve to always go the last mile when it comes to information security. Here are questions that can help with this crucial part of the process.
For more than a decadeI have Advised executives in government, the private sector, and at nonprofits on communicating about the risks of cyberattacks, terrorist attacks, and natural disasters. Cabinet secretaries, CEOs, and college presidents aren’t the only voices that matter in a large organization, however; I also listen closely to CIOs and IT managers, and talk with internal and external communicators as well. I have studied examples—good and bad—of information security and disaster preparation and responses.
I constantly ask the question: What fell through the cracks before, during, and after a major incident like a data breach or a cyberattack? Here’s what I have learned.
Almost all organizations have taken steps to protect against a data breach or a cyberattack—some made large investments in security ahead of time, others only did so after suffering a major loss. But what I have found to be the most common gap or missing link was not high-tech or particularly costly—it was the flawed hand-off of critical security information from the CIO level through IT staff and contractors and into the hands of employees.
Translating information security policies and procedures into clearly understood language and useful, relevant materials is absolutely essential, but it’s not enough. As I’ve written over the last year on TechRepublic, organizations must go a step further and empower employees to be part of the solution. That’s the “last mile” in cybersecurity, and also the one that’s most neglected.
Security questions every business should address
When I advise organizations on how to go the last mile to better protect against a data breach or malicious cyberattacks, I recommend they consider these questions.
- Do your top information security (CIO/CISO), IT, and internal communications or employee relations leaders know each other? Do they work together to build a security culture up and down the organization?
- What do IT staff and employees think of the organization’s information security training and education resources? If the answer is a collective eye-roll, that’s a clear area for improvement.
- Are other parts of the organization that support employees—like onboarding, travel, and employee assistance program (EAP) staff and interns—included in the discussion about