January 2017 – Getting Management Buy-in for Cyber Security

For any business, the benefits of a robust information security plan go way beyond the IT department. But for a security plan to be effective, the co-operation of staff at all levels is essential. Achieving this is easier said than done, with other priorities and lack of communication often proving to be stubborn barriers.

To ensure staff buy-in, management must be seen to fully support an information security plan and this can be a tough obstacle to overcome. Finding the best way to justify a security plan in the face of objections can be a challenge, but being prepared with the facts about the risks and benefits will be a big advantage.

So how do you get management to recognise information security as a priority amongst other commitments such as sales and marketing, finance and operations? The best approach is to make them appreciate that security applies to all areas of a business.These are just some examples of possible scenarios and objections.

Sales and Marketing
If a sales person mislays an unencrypted laptop or USB stick which contains sales strategies or incentives, this information could be exploited. A competitor could use this data to gain an advantage in the marketplace, potentially resulting in lost projects and revenue. A security programme will limit the exposure to data breaches of this nature.USB unauthorised access

A common objection is that having a security programme doesn’t drive sales. However a thorough, sustained security programme will attract new customers who need secure business practices, providing a competitive advantage.

Company sensitive information or funds being stolen would directly impact the company’s ability to operate as usual. A business that is unable to pay employees and suppliers will founder quickly.

Cost can be an issue to management, but compare the value of a security programme against the cost of loss of financial data or funds and there is a clear victor. No-one wants to see their business fail, especially when preventative measures are available.

For day to day operations, intellectual property including templates and company policies, need to be protected. The challenge is to balance data confidentiality with accessibility for business processes.

Customer data is also an issue as this will ordinarily be stored either as hard copy and/or electronically. If this data was lost or stolen, the impact on both customers and the business could be devastating, with loss of customer confidence, possible legal action, investigations and fines.

Information is a valuable corporate asset and must be treated as such. While management might question the benefits of complying with information security standards, the expense for non-compliance could be far greater. The savings in terms of audit findings and evidence of good practice are significant.

The potential damage to reputation that data loss could cause is extensive. Should the media become involved any negative headlines will inevitably affect the public’s perception of the company. For example negative comments on social media can instantly impact a brand without full details being understood. This alone can be extremely hard to recover from.

Ultimately, company accounts consist of both profits and losses. Whilst a security programme may not always generate additional profits, the reduction in losses can be considerable. Additionally, a security programme provides reassurance that will make it easier for management to sleep at night.