The Urgent Need for Executive Involvement in Cybersecurity: A Perspective from an MSP Owner

The Urgent Need for Executive Involvement in Cybersecurity: A Perspective from an MSP Owner

The growing threat of cyberattacks on businesses of all sizes is undeniable. However, a critical issue lies in the often-hands-off approach that many business leaders take towards cybersecurity. This lack of executive involvement exacerbates vulnerabilities, leaving companies exposed to significant risks. As an owner of a Managed Service Provider (MSP), I see firsthand the consequences of this disengagement and the urgent need for a paradigm shift in how cybersecurity is managed.

The Core Issue: Delegation Without Oversight

Too often, business owners delegate the responsibility of cybersecurity entirely to their IT departments, considering it a technical problem rather than a fundamental business risk. This mindset leads to inadequate prioritization and underfunding of necessary security measures. Cybersecurity must be viewed as a critical business function that requires active involvement from top-level executives to ensure comprehensive protection.

“Cybersecurity is not just a technology issue; it’s a business issue that requires top management’s attention and involvement. Delegating it entirely to IT can result in gaps and vulnerabilities.” – Richard Clarke, Former National Coordinator for Security, Infrastructure Protection, and Counterterrorism for the United States.

The MSP Owner’s Perspective

From my experience, prospective clients typically fall into one of two categories:

  1. Proactive Realization: A minority of business owners recognize the importance of cybersecurity and seek to address it proactively. These businesses understand that robust security measures are essential and engage with us before any incidents occur.
  2. Reactive Response: The majority of our engagements occur after a cyber incident, often a ransomware attack. By this point, the damage is done—business reputations are damaged, and clients’ personal identifiable information (PII) is compromised and circulating on the dark web. This reactive approach is far too late to mitigate the worst effects of a cyberattack.

The Critical Need for Business Owner Engagement

For meaningful change, business owners must be actively involved in cybersecurity discussions from the outset. The pervasive belief that “it won’t happen to us” is a dangerous myth. Many businesses think they are too small to be targeted, but the reality is they are simply too small to make headlines. In fact, small and medium-sized enterprises (SMEs) are often prime targets for cybercriminals precisely because of their perceived lack of robust security measures.

The Reality of Cyber Insurance and Incident Response

Many businesses rely on cyber insurance as a safety net, but this can create a false sense of security. In the event of a ransomware attack, improperly handled incident response—such as rebooting systems or attempting data restoration—can lead to insurance claims being denied. Forensic investigations may determine that critical evidence was destroyed, complicating or invalidating claims.

Moreover, the mishandling of a data breach can result in significant financial losses due to lawsuits from affected clients. It is crucial to not only have security measures in place but also to follow best practices diligently and maintain detailed documentation of all efforts. This includes regular backups, software patching, Microsoft 365 hardening, and engaging third-party security specialists.

Proactive Measures and Documentation

Even with the best security practices, no organization is immune to cyberattacks. If the National Security Agency (NSA) can be breached, any company can. However, having proof of due diligence—such as cybersecurity awareness training certificates for staff and well-documented policies and procedures—can make a substantial difference. These measures might not prevent an attack, but they can mitigate the fallout and demonstrate a commitment to cybersecurity, which is crucial for legal and insurance purposes.

Security Incident vs. Data Breach: Understanding Legal Implications and SEC Compliance

Understanding the difference between a security incident and a data breach is crucial for effective incident response and compliance:

  • Security Incident: This refers to any event that compromises the integrity, confidentiality, or availability of information assets. It includes a wide range of activities, such as attempts or successful unauthorized access, use, disclosure, modification, or destruction of data. Incidents may not always require public disclosure unless they escalate to breaches.
  • Data Breach: A data breach is a specific type of security incident that involves the confirmed disclosure of data to an unauthorized party. This confirmation triggers legal and regulatory obligations, such as notifying affected individuals, regulatory agencies, and possibly the media. For example, under the Health Insurance Portability and Accountability Act (HIPAA), covered entities must notify affected individuals of breaches involving protected health information (PHI). Similarly, the Gramm-Leach-Bliley Act (GLBA) mandates notification for breaches involving non-public personal information (NPI) held by financial institutions.

The Securities and Exchange Commission (SEC) has also implemented stringent disclosure requirements for publicly traded companies. According to the SEC’s new rules, companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining their materiality. Material incidents are those that significantly affect a company’s financial condition, operations, or relationships with customers. The rules also require detailed annual disclosures about a company’s cybersecurity risk management and governance in their Form 10-K.

For SEC compliance, companies must establish clear protocols to evaluate the materiality of cybersecurity incidents. This involves considering both quantitative and qualitative factors, such as the incident’s nature, extent, and potential harm. Effective internal processes for detecting, reporting, and managing incidents are essential to meet these regulatory requirements.

Partnering Wisely

Partnering with knowledgeable cybersecurity experts who understand these nuances is essential. They can guide businesses through the complexities of incident response and help them prepare for the worst-case scenarios.

Conclusion

The cybersecurity leadership crisis is a wake-up call for businesses everywhere. As an MSP owner, I see firsthand the consequences of inadequate cybersecurity leadership. Business owners must take an active role in their organizations’ cybersecurity strategies, prioritize funding, and engage with knowledgeable partners. Only then can they hope to protect their businesses from the ever-growing threat of cyberattacks.

WE’D LOVE TO CHAT ABOUT HOW WE CAN HELP!