What if you discovered that all of your hard work is at risk? Your investments and time spent growing your business could also be in jeopardy. This risk might be due to a failure of your outsourced IT company. It could also be from your well-meaning (but overburdened) IT department. If you were exposed to that level of risk, wouldn’t you want someone to tell you about it?
Over the last several years, the risks associated with cyber security attacks have grown in magnitude. They are no longer a low-probability hazard that will result in a minor inconvenience. Businesses of all sizes and types are getting hacked. They are losing hundreds of thousands of dollars, or even multiple millions. Additionally, they suffer significant reputational damage and loss of customer goodwill. For some, it’s a business-ending event. For nearly everyone else, it’s a significant financial disaster that can negatively impact profits and revenue for years.
Yet too many CEOs and small business owners are still abdicating critical decisions regarding risk tolerance. They also give up compliance policy decisions to their IT company or IT department. These decisions no longer belong there.
For example, let’s suppose you have an employee who refuses to comply with strict data security and password policies. They continually fail cyber security awareness training. This behavior puts your company at risk for a cyber-attack and compliance violation. Should your IT manager or IT company fire this employee? Reprimand them? Is it even their IT department’s job to manage employee behavior with company data and devices? If you say yes, the question is, when was the last time you met with them? Did you specifically address this issue and direct them on how to monitor and manage it? Likely never – or once, a very long time ago.
Therein lies the problem. Most CEOs would agree that it’s not up to the IT department to make that call. However, many of these same CEOs leave it entirely up to the IT department or outsourced IT company. They handle the situation. They make decisions about what is allowed and what isn’t. They also decide how much risk they want to take.
Worse yet, many CEOs aren’t aware that they SHOULD have such policies in place. These policies ensure your company isn’t compromised or at risk. It’s not necessarily your IT person’s job to determine what should or shouldn’t be allowed. That’s your job as the CEO.
As another example, many companies have invested in cyber liability, ransomware, or crime insurance policies. These investments provide financial relief in the event of a cyber-attack. They also cover the exorbitant legal, IT, and related costs that result when such an event occurs. Yet our experience shows that most insurance agents and brokers do not understand the IT requirements. They need this knowledge to secure a policy. They also cannot convey these requirements to the CEOs they are selling a policy to. Therefore, they never advise their clients to consult with their IT provider or internal IT. This ensures the right protocols are in place. Otherwise, they risk having coverage denied for failing to comply with the policy requirements.
When a cyber event occurs and the claim gets denied, whose fault is it? The insurance agent for not warning you? Your IT department or company for not putting in place protocols they weren’t even briefed on? Ultimately, it’s on you. As the CEO, you must make sure that decisions impacting the risk to your organization are informed ones. They should not be decisions made by default.
Of course, a great IT company will bring these issues to your attention. They will offer guidance. However, most companies are just keeping the “lights” on and the systems up. They are NOT consulting their clients on enterprise risk and legal compliance.
Ensure your organization is prepared for a cyber-attack’s aftermath. Schedule a private consultation with one of our advisors about your concerns. It’s free of charge and may be extremely eye-opening for you.
Read More on Why Cybersecurity Compliance Doesn’t Belong In The IT Department’s Hands here
#SimplifyIT