Questions Business Owners Should Ask About Cybersecurity

Events like the recent massive CDK ransomware attack – which shuttered car dealerships across the U.S. in late June 2024 - should sufficiently wake up business owners about the potential impacts of cybersecurity attacks. Business owners want to know - are we safe from attack? Are we continuing to improve our cybersecurity posture? Could our business survive a multi-day outage from an attack?

These are fair concerns. The question - how do we answer them? Business owners think of IT systems as tools to help them achieve their business goals, and don't concern themselves with cybersecurity tools or attack methods. A communication gap between business leaders and their IT team can lead to misunderstandings, increased risk, and potentially devastating attacks. How can business leaders work effectively with IT to reduce cybersecurity risk to an acceptable level?

The Challenge

Despite the clear and pressing need for communication, recent research revealed a worrying disconnect between business leaders and IT teams. A high percentage of IT leaders report a lack of high-level influence, and a lack of access to business leaders. The research highlights the challenges in how business leaders work with their IT teams.

The Questions Business Leaders Should Be Asking

1. How do I understand my Cybersecurity Risk? Start by performing a risk assessment. Identify your key IT assets and data sets, then ask an objective question about the financial impact if those systems were down or if data was unavailable or stolen. And make sure you have a good understanding of your Cyber Insurance coverage as well as your 3rd Party risks.
2. How do I better communicate with my IT team? Whether you have outsourced IT or internal IT, communicating effectively with your IT team is essential. The IT team needs to understand the risk to the business so they can recommend the appropriate cybersecurity tools to help reduce the risk. Communicating with your IT about business goals, financial results, and potential financial impacts discovered during risk assessments should lead to better alignment.
3. What kind of reporting should I be receiving from my IT team? The old adage - trust but verify - certainly applies to your IT team. It's not enough for them to tell you, "We're protected". You'll need proof through reporting. Meet with your IT team at least quarterly and make sure you have the basics covered - End Point Protection status, Windows Patching Status. Then start asking more questions and asking for reporting around those questions. Build out a regular cadence and set of reports over time.
4. How do I focus on what matters most? Business leaders have to be careful not to get down into the weeds when it comes to IT. Focusing on the most critical business risks and making sure your IT team is aligned with focusing on those risks and is strategically addressing those risks is your best bet. Saying no to distractions so you can focus on high-impact initiatives allows you to optimize your organization's overall resilience.

Concerned about your cybersecurity risk? Reach out for a complimentary Cybersecurity Discovery Call to learn more about possible solutions.