For more than a decade I have advised executives in government, the private sector, and at nonprofits on communicating about the risks of cyberattacks, terrorist attacks, and natural disasters. Cabinet secretaries, CEOs, and college presidents aren't the only voices that matter in a large organization, however; I also listen closely to CIOs and IT managers, and talk with internal and external communicators as well. I have studied examples—good and bad—of information security and disaster preparation and responses.
I constantly ask the question: What fell through the cracks before, during, and after a major incident like a data breach or a cyberattack? Here's what I have learned.
SEE: Guidelines for building security policies (Tech Pro Research)
The "last mile" problem
Almost all organizations have taken steps to protect against a data breach or a cyberattack—some made large investments in security ahead of time, others only did so after suffering a major loss. But what I have found to be the most common gap or missing link was not high-tech or particularly costly—it was the flawed hand-off of critical security information from the CIO level through IT staff and contractors and into the hands of employees.
Translating information security policies and procedures into clearly understood language and useful, relevant materials is absolutely essential, but it's not enough. As I've written over the last year on TechRepublic, organizations must go a step further and empower employees to be part of the solution. That's the "last mile" in cybersecurity, and also the one that's most neglected.
SEE: Cybersecurity in an IoT and Mobile World (ZDNet/TechRepublic special report)
Security questions every business should address
When I advise organizations on how to go the last mile to better protect against a data breach or malicious cyberattacks, I recommend they consider these questions.
- Do your top information security (CIO/CISO), IT, and internal communications or employee relations leaders know each other? Do they work together to build a security culture up and down the organization?
- What do IT staff and employees think of the organization's information security training and education resources? If the answer is a collective eye-roll, that's a clear area for improvement.
- Are other parts of the organization that support employees—like onboarding, travel, and employee assistance program (EAP) staff and interns—included in the discussion about security?
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
Keep your objective in mind
Remember that cybersecurity is, in effect, a "people problem" that involves technology. Getting all those people to become an asset toward your overall security might seem hard, but it's not nearly as difficult or expensive as having to rebuild your IT systems, and the trust of your customers, in the wake of a major breach that could have been avoided.
- Enterprise IT security planning: Five ways to build a better strategy (ZDNet)
- Users aren't the weakest link in cybersecurity: 3 tips for IT leaders (TechRepublic)
- How to make your employees care about cybersecurity: 10 tips (TechRepublic)
- 10 apps to help you prepare for, respond to, and recover from a natural disaster (TechRepublic)
- Security awareness and training policy (Tech Pro Research)
Gregory Michaelidis directs the Security Awareness Lab and is a Cybersecurity Initiative Fellow at New America. Previously he served as a senior public affairs advisor and director of speechwriting at the U.S. Department of Homeland Security.