Cyber risk management has become a top-of-mind issue for organizations worldwide. Cyber security and data protection have bombarded their way into the boardroom – and they’re there to stay as companies battle an ever-changing landscape of cyber exposures.
But what if your organization doesn’t have a C-suite and a boardroom? What if you don’ have a chief information security officer (CISO), or any staff with any security expertise? Insurance Business caught up with Matt Palmer, CISO at Willis Towers Watson, to get some cyber security tips for smaller organizations without the luxuries of capital, enterprise scalability and cyber expertise.
“There are great opportunities that comes with being a large organization like Willis Towers Watson, because we’re able to scale up and deliver enterprise-wide security solutions. However, that’s a tremendous luxury that not everybody has. Even companies of a fairly significant size (with maybe 10,000 employees) will struggle sometimes to deploy enterprise-grade security capabilities,” said Palmer.
“Smaller enterprises need to take a slightly different approach. The most important thing is for them not to view cyber security purely as a technology issue and outsource it to a chief information officer (CIO) or to a third-party service provider. Whatever the size of the organization, the accountability should begin and end at the board.”
There are lots of strict rules and regulations worldwide around cyber security and data management. If smaller organizations view regulation as an “overwhelming overhead,” that will disrupt their ability to do business, according to Palmer. Rather, every company should view regulations as “sensible and common sense” guidelines that assist companies with their everyday business and grant them protection for the data and information they hold, he said.
“It’s important not to view legislation as the enemy or something separate to security. Instead, legislation should play a part in boosting a company’s understanding of what their security priorities should be and how they should manage their data,” Palmer added. “At the end of the day, most security really boils down to getting the basics right, as opposed to buying complicated and expensive technologies.
“If an organization operates high quality processes, understands what they’re doing with data, and has decent protection in place, then they’re off to a good start. If they can’t compliment that with internal security expertise, they can always look externally. Even a large company like Willis Towers Watson will outsource some of its security expertise and monitoring. Smaller organizations can do that just as easily as we can.”