October 2021 – William Prohn, Dopkins System Consultants Managing Director, recently served as a guest author for Business First of Buffalo.

For a printable copy of this article, please click here.

Is Cybersecurity IT?

Is that IT? Many business owners and decisions makers I talk to about cybersecurity tell me “My IT takes care of that.” While that MAY be true, there are a whole lot of reasons why that may NOT be true. There are a lot of very competent IT people out there, and many of them are very concerned about cybersecurity, both personally and in their workplace. Cybersecurity is not IT. IT (Information Technology) plays a BIG role in cybersecurity, but the typical perception of IT is much more about the “T” than the “I.” The value lies in the information: its use to its owner and its attraction to hackers and other bad guys. The technology is the tool to process and store the valuable information. There are several reasons why cybersecurity and IT are not the same.

Enablement versus Security

The typical role of IT is to enable business activity through efficiencies and connectivity. While availability of information is a key tenet of cybersecurity, unfettered availability can be the enemy of security. Security controls can easily be perceived by users as obstacles to accomplishing goals, causing them to be resented and circumvented. When faced with a hostile co-worker trying to do their job, some IT professionals will opt for less pushback and less security.

One Size does not fit all

The most valuable part of technology is its universality. You and I can share emails, documents and transactions because the Internet and most business tools are standardized. IT professionals select technology to be standard and interchangeable, and most are well versed in the workings of the leading tools (Microsoft, CISCO, etc.) However, cybersecurity is not standardized. The threats that businesses face vary depending on the technology; and the risks are unique to a business.

Risk is in the Eye of the Beholder

While IT can and should assist in identifying cyber threats that a business may face, the impact of those threats (loss of revenue, market share, reputation, etc.) are usually above the pay grade of most in IT. Cyber risk, like other business risks need to be understood, evaluated and responded to by senior management and the Board of Directors.

People are the Weakest Link

Over 90% of data breaches and other cyber incidents are caused by human error: either an honest mistake or a user being tricked through social engineering. IT’s focus is typically on the machine NOT the user. User awareness training and employee policies are typically HR’s domain not IT’s.

The Cloud and other Outliers

In today’s world of cloud apps which are easily obtained by anyone with a credit card, the traditional role of IT can be significantly diluted. IT’s historical place as the guardian of an organization’s information and technology may be non-existent when users store their files in cloudbased solutions such as GoogleDocs, and HR directly administers its own system through ADP, Paychex or other Software-as-a-Service (SaaS) providers.IT may not even know what systems are being used or where critical and sensitive information is stored.

In this “new normal” of hybrid working environments there is a much greater likelihood of employees adopting “shadow IT” such as personal devices and cloud solutions to try and effectively accomplish their jobs in an unfamiliar and often stressful environment. At the very least, working from home may present to IT with many new environments in which they are trying their best to enable business activity and maintain control of information and processes.

Conclusion

None of this means that IT can’t handle cybersecurity. Building a cybersecurity culture in an organization has to live somewhere, and IT is as good a place for it as HR. But cybersecurity is not IT. Cybersecurity needs a company-wide focus. Often, IT has neither company-wide responsibility nor a security focus. To be secure, an organization can’t simply assume that IT takes care of cybersecurity. Security needs input and involvement from the Board, senior management, HR, department heads, IT and endusers. Cybersecurity is critical, but cybersecurity is not IT

For more information, contact William Prohn at wprohn@dopkins.com.

In honor of Cybersecurity Awareness month, Bill’s article accompanied a panel discussion and in-depth Business First article.

• Click here to read coverage of the panel discussion

• Watch an encore presentation:

• Best viewed in Chrome, Internet Explorer or Edge.
  Video can also be viewed on the Business First of Buffalo website here.

   

About the Author

William Prohn CISSP, CISA, CGEIT, CRISC

Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.