Defining Cybersecurity Is The First Step

There is a lot of buzz about cybersecurity, with more news of data breaches and hacks everyday. But in order to understand how to plan for potential cyber risk, we have to have a basic foundation of what cybersecurity means. Cybersecurity is a wide overarching term that can have many definitions. A rapidly developing field, cybersecurity research has monitored and evaluated scholarly and industry practices to create a proper definition. Cybersecurity includes protecting people, processes, and technologies through confidentiality, availability, and integrity. The National Institute of Standards and Technology (2016) defined cybersecurity as the “prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.” As technology advances, so does the definition of cybersecurity; “the approach and actions associated with security risk management processes followed by organizations and states to protect confidentiality, integrity, and availability of data and assets used in cyberspace. The concept includes guidelines, policies and collections of safeguards, technologies, tools and training to provide the best protection for the state of the cyber environment and its users” (Schatz & Wall, 2017, p. 66). Organizational culture, leadership, size and industry can influence the perceptions and priorities of cybersecurity. 

Cybersecurity touches every department across the organization which may explain the broad definition. Without a clear definition, cybersecurity can cause organizational issues concerning strategies and objectives. Many SMEs are challenged due to the lack of resources to build definitions, plans and ultimately a defense. The return on investment to many SME leaders is many times unknown and the lack of knowledge leads to the leader not implementing a strategy. Cybersecurity incorporates technology, events, strategies, processes, procedures, human interactions, and security. A cybersecurity culture starts at the top. The actions of leadership and organizational culture determine the involvement and engagement of humans, strategies, and processes. 

Cybersecurity as a field is advancing, often causing disagreements between the public and private sectors. There is a mixture of rules, regulations, and statutes regarding developing solutions to cyber-threat risks. For example, with utilities, multiple federal, state, local, and private organizations are involved in some aspect of electric grid cybersecurity protection, regulation, or emergency response. Agencies include the Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Energy (DOE), state public utility commissions, local utility boards, and others. Smaller organizations strained with small IT teams and inadequate security budgets are often at a significant disadvantage to effectively deal with cyber threats.

Organizationally, it’s no longer a competitive advantage to use technology, but an essential part of conducting business today.  The more a business becomes dependent on the internet, the potential for a cyberattack increases exponentially. SMEs are recognizing the role technology plays in their sustainability; many leaders realizing they are not alert and potentially unprepared to handle cyber-attacks. In fact, 55% of small business owners feel that their current technology solutions are actually “a hindrance to incorporating or adopting new technologies.” A majority of small business owners (65%) feel that IT disruption will play a decisive factor in their tech spending decisions. Close to 75% of technology influencers in SMEs are concerned about IT disruption. SMEs are encouraged to utilize cybersecurity frameworks, so executives have a better understanding of the overall firm security readiness, understand and have a process implemented to evaluate their technology strategy on a consistent basis.  The evaluation process recommends the close monitoring and evaluating the organization’s cybersecurity culture. Understanding that this process is constantly adapting and evolving to the rapidly changing technological environment.  Cybersecurity includes protecting people, processes, and technologies through confidentiality, availability, and integrity.  The key words to consider with the NIST definition are prevention, protection,  restoration, availability, integrity, authentication, confidentiality, and nonrepudiation…essentially, you should always practice the “trust but verify” methodology when it comes to risk mitigation. Developing, monitoring and maintaining interactions through processes, people and technology result in actions aligned with the definition of cybersecurity. If you need help taking the first step, our cybersecurity audit may be just what you need. Contact our team to learn more.