Two recent events we’ve attended have reinforced the differences between those companies that take cybersecurity seriously, and those that don’t. In the first event, we attended a quarterly IT committee meeting of a client in a regulated industry. In order to make sure they were covering their bases in regards to their cybersecurity efforts, they voluntarily completed a cybersecurity self-assessment. What impressed us was that it was clearly completed not just as a check-the-box-as-done exercise, but to understand the process and content fully.
By comparison, a second event recently attended featured an attorney who specializes in cybersecurity incidents and breaches who gave a presentation to about 120 business owners in the region about the importance of having a Written Information Security Plan (WISP). After about 10 minutes of presenting to a sea of blank faces, she stopped and asked how many in attendance were aware if their company in fact had a Written Information Security Plan? Exactly two hands went up (Suite3 President Dave DelVecchio’s was one!). Someone in the audience asked “who says that all businesses need one”? The attorney answered correctly – the Commonwealth of Massachusetts does – and that it’s been the case for nearly 10 years since the passage of 201 CMR 17.xx.
Many companies in attendance that night were in industries such as manufacturing and health care where the physical safety of employees or patients is top-of-mind and permeates the organization. Cybersecurity and the protection of data and personal information requires the same level of attention and must be viewed with the same level of importance.
Business owners, C-Level executives, and management of all organizations should be evangelical about cybersecurity. We encourage all to build a culture where cybersecurity becomes part of your DNA and will:
- Align with your business vision
- Foster a security-conscious culture
- Lead to the implementation and maintenance of a rich assessment program to identify your high-risk areas of exposure
- Take security beyond mandated compliance
- Provide for investment in prevention, detection and response