Why cybersecurity is no longer the responsibility of the IT department

In today’s age, work is no longer limited to the confines of the office. We work at home and on the go, on company-owned devices and our own computers and smartphones. On top of this, the systems we access through these devices are no longer limited to company premises. We use cloud-based solutions every day, from simple hosted email to sophisticated cloud-native tools, including marketing automation, analytics and AI tools. While such applications produce productivity benefits, they also have a significant impact on how we attribute responsibility for cybersecurity.

Out of their hands

Security used to be a key function of the IT team’s role. But diversification of platforms and devices has eroded this department’s ability to control the use of digital technology in the business.

Hybrid and multi-cloud arrangements have complicated most business infrastructures, spreading vulnerable data across multiple environments. Flexible working and bring-your-own-device schemes have resulted in staff using this data across multiple distributed locations, and accessing it through unfamiliar networks.

And then there’s the growing collection of shadow IT systems in most businesses, of which IT usually has little knowledge. Spending on shadow IT will double over the next four years, hitting nearly $500 billion in 2023, according to predictions by IDC.

With much of IT infrastructure out of the hands of the IT department, there’s little they can do to defend it against cybercrime. Instead, as staff increasingly use independent and off-premises services, security has become the responsibility of all individuals.

Weak points in the chain

Let’s look at email as an example, the most commonly used cloud-hosted service. 80% of businesses in EMEA have experienced an email-based security attack in the past year, according to Barracuda networks, and 78% of these say the cost of these attacks is increasing.

But what can the IT team do to mitigate this risk? With most email now hosted, stored and managed in a public cloud environment, the IT team can only do so much to secure these services.

This lack of control only compounds the problem of poor email security practices amongst end-users. Common mistakes such as sending and receiving Personally Identifiable Information (PII) (such as names, addresses and bank details) via email, or not double-checking suspicious-looking emails, could expose not only that user’s account, but the entire business.

Leading cultural change

Wider cultural change is vital to keeping organisations safe against these modern threats. Business culture tends to start from the top. Yet senior executives and board-level directors generally consider digital security to be the remit of the IT department, and often tend to flout their own data rules.

According to a recent survey, 61% of IT professionals complain that senior executives expect more lenient policies for themselves, and most say this has resulted in an increased number of cybersecurity incidents. This can have a severe knock-on effect for the wider culture. After all, if the boss doesn’t think it’s important, why should I spend time doing it?

To create a culture of cybersecurity throughout the organisation, senior executives must lead by example by taking ownership of IT security best practice in their day-to-day behaviour. Once this has been communicated across the board, it can be promoted as part of a standardised corporate security policy.

For decades, IT has been a powerful first line of defence against an increasingly hostile online world. But modern IT infrastructures and working patterns mean there is only so much they can do to keep the business safe. Now, it’s everyone’s responsibility.

To learn more about overlooked cyber threats in business, and how to promote a culture of cybersecurity throughout your organisation, read our whitepaper: ‘Are you the weakest link? How senior executives can avoid breaking the cybersecurity chain.’