Cybersecurity Is a Business Risk
These days, I encourage organizations to manage cybersecurity as a business risk on par with sales, order fulfillment, and accounts receivable.
This is because not only do we have aggressive, capable cyber-attackers coming after us, but also have to deal with lawmakers and regulators when we mess up (which is inevitable).
So, the goal I set for my customers is to practice “reasonable cybersecurity” as defined by the FTC and structured by the NIST Cybersecurity Framework.
Check out this video “Reasonable Cybersecurity” from my LinkedIn Learning course: Cybersecurity for Executives.
Reasonable cybersecurity from Cybersecurity for Executives by Kip Boyle
Manage Clear Priorities
Furthermore, because an organization’s resources are limited, and their risks are unlimited, it’s necessary to determine clear priorities and manage to them.
I also recommend that all this work be done under attorney-client privilege to shield cyber risk records from e-discovery should a lawsuit be filed against them.
In terms of technical cyber hygiene, most of the action is at the end points controlled by individual users, so I encourage (1) removing local admin and (2) application whitelisting as the first two actions from the “Essential Eight” out of the Australian Cyber Security Centre.
Of course, network security remains incredibly important to get right. But, it’s myopic to think that putting all of your cybersecurity budget and effort in that area and counting on prevention is old thinking.