Cybersecurity is a vital part of business in the digital age, but many companies don’t put policies in place to keep them safe from attack. These attacks can take many different forms, and might be designed to steal data, extort money, or destroy information. All of these outcomes can have major consequences for companies. When companies are targeted by network attacks, they can lose millions of dollars as they try to recover from the effects. People usually think of security breaches in terms of how much information might be exposed, but companies also need to realize that attacks can cause irreparable harm to their reputations. If consumers don’t believe they can trust a company with their money, information, or other resources, that company won’t survive for long.
Knowing the stakes of neglecting cybersecurity in this way, it seems as if every company would rush to make sure they were as secure as possible all the time. Many company boards believe that they’re already safe when they’re still vulnerable, however, due to two cybersecurity myths that stubbornly cling to life in board rooms. The first myth is that all cyberattacks are targeted toward specific companies, and if an attack isn’t aimed directly toward a company that it won’t be affected. The second myth is that cybersecurity is too complicated for a company board to get involved in, that it’s better relegated to the IT department. The longer a company believes in these myths, the more they risk costly security breaches
Companies think that all cyberattacks against them are targeted because they misunderstand the nature of those attacks. They believe in a simple definition of cyberattacks: if they’re not directed right at the company’s servers, they’re not a problem. Security guidelines in the corporate world tend to focus on targeted attacks, particularly in the IT department. For example, programmers have to make sure data entered by program or web site users won’t do anything malicious to the company’s servers. Most companies tend to put far less emphasis on attacks that can happen by random circumstance. Chain emails can contain dangerous attachments that employees click on, managers can accidentally go to sites infected with malware, or clients can connect to the company’s computers and transfer a virus without realizing it. All of these are ways that malicious programs can gain a foothold in a company’s servers, whether or not they were aimed there in the first place.
When members of company boards think that cybersecurity is too complicated for them to get involved in, they’re experiencing the opposite problem: overcomplicating the issue instead of oversimplifying it. Since board members aren’t always IT professionals, they sometimes assume that they would need to know precise information about cybersecurity in order to understand it. When they don’t know these things, they assume it’s too complicated or technical. Once again, in their minds, it’s a problem for the IT department, and not something to waste time with in a board meeting. When everyone in a company doesn’t have a basic grasp of cybersecurity information, however, there will be a point where communication breaks down. A company can only protect itself against cyberattacks effectively if everyone can communicate about cybersecurity in ways they all understand. Breakdowns in communication and understanding are where cyberattacks can succeed.
The solution to eradicating both of these cybersecurity myths is to involve everyone in a company, from board members to IT professionals to everyone else, in discussions about cybersecurity. This doesn’t necessarily mean that everyone needs to know all the technical parts of everything the company does for security purposes, but it does mean that everyone should know some basic information and security techniques. Depending on people’s roles within the company, they’ll need to know different things. For example, everyone in a company should know how to identify an email with a malicious link or attachment, but only certain IT professionals will need to know exactly how data is screened in the company’s servers.
Company boards can help everyone create this common knowledge by implementing company-wide cybersecurity policies. Effective general cybersecurity policies can be surprisingly simple. Training all employees on how to spot malicious communication, making sure that everyone has a basic knowledge of cybersecurity, and continually training everyone in that general knowledge can deflect many potential problems before they affect a company. Boards must also make sure that communication is always possible on cybersecurity matters, regardless of where a threat is found, so the threat can be fixed or mitigated quickly.
With the right planning, cybersecurity doesn’t have to be complicated, and company boards can make sure that everyone understands their role in avoiding damage from cyberattacks. Cybersecurity myths can be costly, but understanding the realities of the digital age can be vital to a company’s success.
The original version of this article was first published on Inspired eLearning.