Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cybersecurity: Why It’s Not Just About Technology

To protect their systems from attacks, organizations need to build a culture of risk management from the ground up.

With cybersecurity breaches on the rise, one thing is clear: The current defenses of U.S. organizations -- both public and private -- do not rival the skill, persistence and prowess of those who seek to wreak havoc on our information-technology infrastructure and operations. What many organizations are doing in response to this growing and pervasive threat often stops with efforts to secure their systems through technology without a continued focus on building and sustaining a culture of deterrence and vigilance.

The problem with this approach is that attackers and their tools are always changing. While no one doubts the need to establish a systematic, technology-based way to protect against breaches, attention is rarely paid toward building a culture of security from the bottom up. For organizations that do, the results are easily quantifiable: According to a recent survey commissioned by PricewaterhouseCoopers, CS magazine, the Secret Service and Carnegie Mellon University's Software Engineering Institute, organizations that conduct ongoing employee training and awareness programs see their financial impact from security breaches drop to an average of $168,000, a quarter of what those without such programs lose ($683,000).

When you combine numbers like those with the fact that the average number of security incidents that the 500 survey respondents reported facing last year was 135, the figures are eye-opening. And, of course, monetary losses don't account for the loss of public trust.

So what can be done? It all begins with a conversation, at the executive level down through to the most junior of staff.

At the executive level, the National Association of Corporate Directors, the American International Group and the Internet Security Alliance suggest a set of principles: While executives need to understand the complete implications of cyber risks, they also need to understand that cybersecurity is not just an IT issue but is part of enterprise-wide risk management. They should set expectations that enterprise-wide risk management is a priority that will be adequately staffed and funded. And executives need to have access to cybersecurity experts and regular discussions about cyber risk management, including how to respond to different types of risks.

In West Virginia's state government , that conversation is spearheaded by an executive-branch information-security team and a privacy management team, each established by a 2006 executive order. Through an information-security strategic plan, the state has the ability to utilize controls and emphasize policy, training and regular audits for compliance, something that a majority of states do only on an ad-hoc basis.

At the staff level, organizations have the opportunity to educate employees on how to recognize and prevent attacks, something that only 46 percent of the organizations surveyed do. For those that do have these programs in place, 42 percent say their security-education programs have played a key role in deterring attacks. Topics often include how to handle suspicious emails and links, the role social media can play in attacks, encouraging staff to speak up if they notice something suspicious, maintaining control of user access and establishing strong password practices.

A 2012 Deloitte-NASCIO cybersecurity study describes how North Carolina's Office of Information Technology Services has provided agency personnel with the means to assess, validate and address vulnerabilities and easily report back to the state's centralized vulnerability-management tool. The statewide platform assists not only in sharing data but in supporting each agency's systems.

The message should be clear: No matter where you are in your organization, cybersecurity is your responsibility. Unfortunately, much work remains to give each employee the tools, forums and support to make such an enterprise-wide approach the standard. Fortunately, that work begins with a conversation.

Patrick Mallory is a consultant to federal and state agencies for Deloitte.
Special Projects
Sponsored Stories
In recent years, local governments have been forced to adapt to a wildly changing world, especially as it pertains to sending bills and collecting payments.
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?