We Are in This Together: Every department can put an enterprise at risk
March 15, 2017 | 4 minute read
We Are in This Together: Every department can put an enterprise at risk
Protecting an enterprise’s digital assets requires more than the labor of the IT/IS teams - fighting cybercrime calls for a joint effort from each and every department. From the C-level suites, down to sales and marketing, over to finance, and through the door to the supply chain, cybersecurity stands strong only when every department takes the full responsibility for its own cybersecurity efforts.
There are thousands of entry points into your business– including social media channels, rouge subdomains, untested applications and even your supply chain. As a recent Verifone breach shows, all it takes is a mistake by a single employee in one department to put an entire enterprise at risk. For an enterprise cybersecurity efforts to be effective, your employees need to be made aware of the fact that cybersecurity is a team sport. Here is a look at the respective risks each department faces and how they can join forces to improve cybersecurity.
Supply Chain Management Opens a Window to a Cyber Attack
Businesses consistently expose themselves to risk through their supply chains. If yours is like any other enterprise, your supply chain is an open bazaar of connections: suppliers, vendors, distributors, service providers, contractors, affiliates and partners. While efficient for operations, all these connections expose an enterprise to substantial risk.
Statistics show that almost 80% of data breaches are caused by a vulnerability in the supply chain. An IT or security department might have vetted a supplier’s or service provider’s cybersecurity credentials when initiating a business relationship, but cyber risk shapeshifts so frequently that, even if you are consistently reviewing these external partners’ cybersecurity profiles, there’s no way of knowing if a single employee of a vendor could ultimately put your own assets at risk. If either your partners, your vendors, or your service providers are not protected against cyber threats, their weaknesses essentially become your own.
Make no mistake, hackers will take advantage of the cybersecurity deficiencies in a supply chain to get a foothold into your business. Consider the 2016 cyber breach at Oracle’s Micros point of sale (PoS) division. An infected system inside of Oracle’s network was used to compromise systems that included the PoS support portal of the Oracle division Micros, leading to the breach of more than 700 Oracle systems.
Threats to Marketing Efforts and Brand Reputation
The flip side to the increased dependencies by marketing departments on social media and other digital channels is increased exposure to cyber threats.
Phishing scams, one of the most common threats to a network, take advantage of the large canvas of social media. One in five phishing scams targets Facebook, and almost 2% of all social media interactions containing a URL are malicious. Phishing scams on Twitter, LinkedIn, Google+ and YouTube are just as probable.
WordPress, the most popular content management system for websites and blogs, has long been vulnerable to cyber threats. Just this month (March 2017), a critical vulnerability was discovered in a popular WordPress plugin, possibly allowing hackers to steal password data and encryption keys from numerous databases.
Aside from digital assets, online exposure also puts your brand at risk. Malware can target your advertisements, exposing your potential and longtime customers to cybercriminals. Hackers can also create fake social accounts and sell bogus products, gaining customer information in your name and tarnishing your brand’s reputation.
Sales Teams Generate Revenue but Also Court Cyber Risk
Your sales team is always on the move, relying on mobile devices to communicate with clients and the home office. Their dependence on unsecured WiFi networks probably keeps your CISO and IT team awake at night, but, chances are, the employees themselves don’t go that extra mile to ensure they’re connecting to secure access points. After all, productivity leads to more sales and they can’t lose time to security.
Mobile devices provide multiple attack routes into corporate networks: through the carrier, Bluetooth, wireless, and text messaging. Companies can’t lock out their mobile workforces if they want to thrive; their reliance on their devices and outside networks will only increase. IDC projects mobile workers will account for nearly three quarters (72.3%) of the total U.S. workforce by the end of 2020.
Finance Team Can Make Costly Cyber Mistakes
A breach from the finance department will mostly likely stem from employee error. For instance, employees can receive and send unecrypted Excel or pdf files, leaving the cybersecurity door open into your company’s sensitive financial information. An employee answering an email from what looks like a trusted colleague can lead to the release of personal data such as salaries and other personal information to a malicious hacker. While employee errors can happen in any department, the sheer amount of sensitive data flowing through your finance department emphasizes the need for your finance teams to be on top of their cybersecurity game.
Financial departments are under a great amount of stress tracking the many fiscal details that make a company run. All it takes is one slipup and a treasure trove of sensitive data ends up in the wrong hands. Malicious insiders are also a cause for concern.
Executive Level Needs
Defending against cyber risk should bethe biggest responsibility of executives. After all, all else will seem secondary if the enterprise is exposed to a crippling breach. However, executives are often conflicted with competing objectives of prioritizing security controls or business growth. In most cases, when pitted against each other, the latter wins.
Despite this great responsibility, 40% of executives acknowledged they lacked a clear understanding of the cybersecurity protocols within their organizations. This knowledge gap trickles down to employees and could also potentially hurt business relationships if key customers and other stakeholders learn about – or are directly affected – by an enterprise’s failure to grasp the many challenges of cybersecurity.
Cybersecurity is a team sport
After reviewing the many ways an enterprise is at risk – supply chain exposure, social media threats, sketchy mobile access points, financial blunders, executive misunderstanding – it is clear that no single department can go it alone.
Cybersecurity buy-in needs to occur at every level, and every employee should be involved. Stale, impersonal cybersecurity training and threat of punishment won’t work; employees will eventually forget rules and processes or not be motivated enough to carry their end of the bargain.
A company should instead use an internal cybersecurity campaign that motivates, rewards and reinforces cybersecurity processes and rules to keep out hackers and stay ahead of evolving cyber risks. In addition, choosing the right cybersecurity partner and the optimal mix of technologies can be of tremendous help when it comes to mitigating risks discussed above. It takes a village to create an effective cybersecurity culture. When each department recognizes its responsibilities and does it’s part, only then will an enterprise-wide cybersecurity work.