What if you discovered that all the hard work, investments and time you’ve put into growing your business is at risk due to a failure of your outsourced IT company, or possibly even your well-meaning (but overburdened) IT department? If you were exposed to that level of risk, wouldn’t you want someone to tell you about it?
This article is that wake-up call.
Over the last several years, the risks associated with cyber security attacks have grown in magnitude. They are no longer a low-probability hazard that will result in a minor inconvenience. Hacker threaten businesses of all sizes and types. They are losing hundreds of thousands, or even multiple millions, of dollars. In addition, they are suffering significant reputational damage and loss of customer goodwill. For some, it’s a business-ending event. For nearly everyone else, it’s a significant financial disaster that can negatively impact revenue for years.
Yet too many CEOs and small business owners are still abdicating critical decisions about risk tolerance and compliance policies to their IT team. Yet these decisions no longer belong there.
Employee Cyber Security Compliance
For example, let’s suppose you have an employee who refuses to comply with strict data security and password policies. Or they continually fail cyber security awareness training, putting your company at risk for a cyber-attack and compliance violation. Should your IT manager or IT company fire this employee? Reprimand them? Is it the IT department’s job to manage employee behavior with company data and devices? If you said yes, when was the last time you met with IT to specifically discuss this issue? Have you directed them on how to monitor and manage it?
Therein lies the problem. Most CEOs would agree that it’s not up to the IT department to make that call. Yet many of these same CEOs leave it entirely up to the IT department (or outsourced IT company) to handle the situation. They leave it to IT to make decisions about what the organization does or does not allow, how much risk they want to take, etc.
Worse yet, many CEOs aren’t even aware that they SHOULD have policies in place to ensure your company isn’t compromised or at risk – and it’s not necessarily your IT person’s job to determine what should or shouldn’t be allowed. That’s your job as the CEO.
Insurance Requirements
As another example, many companies have invested in cyber liability, ransomware or crime insurance policies. Their hope is to provide financial relief in the event of a cyber-attack and cover the exorbitant legal, IT and related costs that result from these events. Yet our experience shows that most insurance agents and brokers do not comprehend the IT requirements needed to secure a policy. Therefore, they cannot clearly explain to these requirements the CEOs they are selling a policy to. They never advise their client to consult with their IT provider or internal IT to ENSURE the right protocols are in place. As a result, you risk having coverage denied for failure to comply with the requirements in the policy.
When a cyber event occurs and the claim gets denied, whose fault is it? The insurance agent for not warning you? Your IT team for not putting in place protocols you didn’t brief them on? Ultimately, it’s on you. This is why you, as the CEO, must make informed decisions regarding the risk to your organization, not simply decisions made by default.
Of course, a great IT company will bring these issues to your attention and offer guidance> However, most are just keeping the “lights” on and the systems up. They are NOT consulting their clients on enterprise risk and legal compliance.
If you want to prepare and protect your organization from the aftermath of a cyber-attack, click here to schedule a private consultation with one of our advisors about your concerns. It’s free of charge and may be extremely eye-opening for you.