At Techcare, we’re often talking about cybersecurity. Discussing the biggest risks, how to spot cyberattacks, or how to protect yourself - but who are these articles aimed at? Most of the time, the articles are useful for any role in a business. Everyone should be able to spot a phishing email, and everyone should know the importance of cybersecurity solutions. But who is responsible for ensuring a company is protected from cyberattacks? From cybersecurity training to implementing endpoint protection and anti-virus software – someone needs to take responsibility and accountability to protect the business.
The answer is tricky – it depends on the size and nature of the business. But here’s a run-down of the different options for cybersecurity responsibility.
Why would a cybercriminal attack a small business?
Who is responsible for cybersecurity?
Business Owner
In a small business, there might not be an IT department at all – outsourced or internal. In this case, the Business Owner is usually responsible for managing the technology and therefore responsible for cybersecurity. For a start-up or micro business this is the norm, but it’s sustainable. In time, the business either outsources its IT to a company like Techcare or hires an IT manager.
Technology Partner
If the Business Owner opts for the outsourced IT option, then that Technology Partner takes on the responsibility for cybersecurity. Whilst the decision maker chooses which products/services they will pay for, the Technology Partner is responsible for ensuring the solutions in place are working as expected, to minimise breaches. In short, the Technology Partner doesn’t have the final say in the level of protection, but they are accountable for the efficiency of the solutions in place.
IT Manager
In other cases, a business has an IT Manager. Usually this is a small to medium business, rather than a micro business. The responsibility of cybersecurity is then passed from the Business Owner to the IT Manager. The business may keep all of the solutions in-house, or opt for co-managed support. In either case, an IT Manager would typically then become responsible for deciding on the level of cybersecurity protection, the solutions that are in place, and whether a 3rd party will take on some of the responsibility.
The Wider Team
It’s important to stress that, while IT departments or external partners may handle the technical side of cybersecurity, all employees have a role to play in keeping the company safe. Cybersecurity training provides employees with the knowledge to recognise phishing attempts or social engineering attacks, and follow best practice advice for strong passwords and MFA. This then means that all employees, regardless of their role, can be vigilant and proactive about security. This is especially important for roles such as Finance or Marketing that must adhere to stringent rules like GDPR, or for industries that manage sensitive data like education or healthcare.
In summary, a mix of people share the responsibility of cybersecurity in a business. Business decision makers have the final say on the overall level of protection, as well as the solutions in place. If there is an outsourced Technology Partner or internal IT Manager, then they ensure the solutions in place are protecting the business.
For larger scale businesses, the IT department expands. There may be a CIO or CISO in place to head up the overall IT strategy, or Risk Managers, Data Protection Officers, Cybersecurity Managers, etc to break down the responsibilities even further.