Who Needs Cybersecurity Anyway?
The simplest and perhaps obvious answer is that all organizations have sensitive data that is valuable to cyber attackers. That’s why it’s critical everyone – including the millions of small and medium businesses out there – employ steps to improve their cybersecurity posture and reduce their risk.
Some critical sectors are in the limelight more often when it comes to cybersecurity, and for good reason.
Government and Critical Infrastructure
Cybersecurity is critical to the government and other organizations that directly affect the nation’s – or world’s – well-being and safety. Cyberattacks on government, military groups, and defense suppliers are starting to supplement or replace physical attacks, putting nations in danger. And recent ransomware attacks have left local governments crippled, unable to provide urgent and business-as-usual services.
In addition to the government, the 16 critical infrastructure sectors have many national security and safety implications. Cyberattacks on critical infrastructure sectors can be catastrophic, causing physical harm or severe disruption in services.
Companies Under Compliance and Regulations
Increasingly, cybersecurity isn’t just a recommendation – it’s the law. Many organizations operate under government or industry regulations that include a cybersecurity component. These standards ensure that companies take precautions to protect consumers’ data, and even sensitive government and military data, from cybersecurity threats.
Common compliance standards include:
- Defense Federal Acquisition Regulation Supplement (DFARS) for Department of Defense (DoD) contractors
- European Union (EU) General Data Protection Regulation (GDPR) for organizations that offer goods and services to EU citizens
- The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them and provides guidance on how to implement the law.
- Health Insurance Portability and Accountability Act (HIPAA) for companies working with healthcare data
- Payment Card Industry (PCI) for companies who accept, transmit, or store credit card data
And that’s just a few examples – compliance requirements in some form affect many organizations. The financial penalties for non-compliance can be huge, and a violation can mean serious reputation damage and even loss of contracts.
Business to Business (B2B)
Remember the infamous Target breach back in 2014? Attackers were able to break into Target’s network through a vulnerability from their HVAC contractor. Cyber-savvy companies are beginning to recognize that businesses they work with are a type of insider threat. Their response to this is often requiring their vendors to complete third-party cybersecurity assessments, and failing to check the boxes can cost your business.
If your organization is considered a small to medium business, you may have larger clients starting to perform third-party risk assessments on their vendors (including you). This may include an assessment of your company and any digital or connected services and products you provide. They will assess their vendors’ cybersecurity posture and hygiene, then require the vendors to meet certain levels of cybersecurity – even if the smaller organization itself does not require regulations or compliance. It’s simply becoming best practice as larger organizations are working hard to protect themselves, knowing smaller organizations are at risk and can serve as the conduit for attackers.
In today’s world, it’s a rare company that doesn’t have a compelling reason to take cybersecurity seriously. Cybersecurity is a shared responsibility that goes beyond business or compliance because your security practices affect more than just your company. Each and every day, cybersecurity is moving from a “nice-to-have” to a “must-have”…for everyone.