We're not responsible for cybersecurity - 15 Dangerous Cybersecurity Myths - Day 3

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now.

 Myth Number 3 - We're not responsible for cybersecurity

Now today, we're going to explore Myth number three: "We're not responsible for cybersecurity ". I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe.

So welcome to Myth number three: We're not responsible for cybersecurity. Now, this is a view you often hear expressed, particularly by small business owners. It revolves around a lack of familiarity with the topic and a sense of concern that the people are not well equipped to deal with this problem.

  1.  I often hear business people say, "I'm a member of the Board of Directors or a member of the management team, a senior person. I can't be expected to manage cyber risk because it's beyond my area of expertise". There's clearly a desire here not to deal with the topic and a desire to stay within areas that are within the competence of the person. Boards of Directors, of course, manage companies and all of their risks but there can often be a desire to have cybersecurity and cyber risk fall within the remit of somebody else
  2.  If we follow that logic, we often hear things like, "Well, cyber risk is really for the “nerds” in the IT department or the “IT guy” to handle. It's the IT guy’s responsibility to manage our cyber risk and it's his problem or it's their problem." This view is often expressed in a variety of different ways and it's the same view whether it's an internal IT person or an external IT person we're talking about. Again, it's a desire to have somebody else take responsibility.
  3. I often hear professional service firms say: "We've outsourced this responsibility to an external IT service provider or a managed service provider. So, it's his problem now. I've done my bit; I've found somebody to outsource the problem to". Clearly, all of these views are going in the same direction, a desire to hold somebody other than ourselves responsible for cybersecurity and cyber risk.

A Dangerous Myth

This is a dangerous myth because it's ignoring the fact that the legal responsibilities of the people who run the business include management of all business risks and accounting for all business risks, including cyber risk. Legally, cyber risk is no different to any other risk and the management team, especially the board of directors, are legally responsible to manage all risks of the business.

This thinking seeks to push responsibility to somebody else, generally, an IT-focused person, and it's dangerous because it ignores legal realities, it ignores the stewardship role that the Board of Directors and senior managers have in any business.

Truth Number 3  -  The Board of Directors is responsible in company law to manage all company risks, including cyber risk.

 The truth behind this myth is that the board of directors is responsible in company law to manage all company risks, including cyber risk and cyber is a business-critical boardroom issue. So, the entire thinking that cyber risk is really just an IT issue, and IT people should be dealing with it, is mistaken.

  1. Day-to-day activity can be delegated to an internal or an external source. But legal responsibility can't be delegated. The Board of Directors owns the cybersecurity risk, along with every other risk of the business. And as we've said, cyber is a business-critical boardroom issue. The Board needs to be empowered to confidently manage cyber risk. One of the ways that this will be evidenced would be the fact that cyber is being regularly discussed at Board meetings, and that the Board of Directors is asking for and receiving some form of presentation on the risk by whoever has day-to-day responsibility for the activity.
  2.  Relying on an external IT provider to manage day-to-day activity may be a sensible option and a lot of firms do take this route. But it shouldn't be done blindly. The Board needs to satisfy itself, that whichever third party they use has the appropriate cybersecurity skills and knowledge to provide an adequate service to the company. Now, this can be done without members of the Board becoming cybersecurity experts. This is about managing risk, not about IT.  And so, a Board of Directors can take steps to see if their external IT provider can convince them that they are in fact capable of managing cyber risk and that they will be able to provide them with the services they need in the event of a crisis. The Board needs to satisfy itself that the third party has the appropriate skills and knowledge to provide adequate service to the company. This is the responsibility of the top people.
  3. And finally, the Board needs to ensure that it's discharging its legal responsibilities to manage all the risks of the business. And this is something that it can do by establishing the cybersecurity framework, by setting the strategy and by holding management accountable for implementation. Now, in a small business, of course, there may be minimum difference between the Board of Directors and the management and employees. In fact, quite often, these are all the same people. But the principle applies, nonetheless. It is the responsibility of whoever runs the business to establish a framework, however primitive, to establish a strategy to deal with cyber risk and to hold themselves accountable for implementing that strategy.

 And so, Truth Number three is: "The board of directors is responsible in company law to manage all company risks, including cyber risk, which is a business-critical boardroom issue".

Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop. I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.