Who Needs Cybersecurity Anyway?
The simplest and perhaps obvious answer is that all organizations have sensitive data that is valuable to cyber attackers, and that’s why it’s critical everyone – including the millions of small and medium businesses out there – employ steps to improve their posture and reduce their risk.
Some critical sectors are in the limelight more often when it comes to cybersecurity, and for good reason.
Government and Critical Infrastructure
Cybersecurity is crucial for government and other organizations that directly affect the nation’s – or world’s – wellbeing and safety. Cyberattacks to government, military groups and defense suppliers are starting to supplement or replace physical attacks, putting nations in danger. And recent ransomware attacks have left local governments crippled, unable to provide urgent and business-as-usual services.
In addition to government, the 16 critical infrastructure sectors have many national security and safety implications. Cyberattacks to critical infrastructure sectors can be catastrophic, causing physical harm or severe disruption in services.
Companies Under Compliance and Regulations
Increasingly, cybersecurity isn’t just a suggestion – it’s the law. Many organizations operate under government or industry regulations that include a cybersecurity component. These standards ensure that companies take precautions to protect consumers’ data, and even sensitive government and military data, from cybersecurity threats.
Common compliance standards include:
- Defense Federal Acquisition Regulation Supplement (DFARS) for Department of Defense (DoD) contractors
- European Union (EU) General Data Protection Regulation (GDPR) for organizations that offer goods and services to EU citizens
- Health Insurance Portability and Accountability Act (HIPAA) for companies working with healthcare data
- Payment Card Industry (PCI) for companies who accept, transmit, or store credit card data
And that’s just a few examples – compliance requirements in some form affect many organizations. The financial penalties for non-compliance can be huge, and a violation can mean serious reputation damage and even loss of contracts.
Business to Business (B2B)
If your business is considered a small to medium enterprise, you may have larger clients starting to perform third party risk assessments on their vendors (which includes you). This may be an assessment of your company and any electronic/connected products you provide. They’re asking about their vendors’ cybersecurity posture and hygiene, then requiring they meet certain levels of cybersecurity – even if regulations or compliance are not required by the smaller organization. It’s simply becoming best practice as larger organizations are working hard to protect themselves, knowing smaller organizations are at risk and can serve as the conduit for attackers into the larger organizations.
Remember the infamous Target breach back in 2014? Attackers were able to break into Target’s network through a vulnerability from their HVAC contractor. Enterprise companies, and increasingly, cyber-savvy smaller companies, are beginning to recognize that businesses they work with are a type of insider threat. Their response to this is often requiring their vendors to complete third-party cybersecurity assessments, and failing to check the boxes can cost your business.
In today’s world, it’s the rare company that doesn’t have a compelling reason to take cybersecurity seriously. Cybersecurity is a shared responsibility that goes beyond business or compliance because your security practices may be about more than just your company. Each and every day, cybersecurity is moving from a “nice-to-have” to a “must-have”…for everyone.