Effective cybersecurity management is an enterprise-wide responsibility. I spend a lot of time talking to members of boards and C-suites around the world about how their organisations deal with cybersecurity risks. The most common question I get asked is: “What should my company do about its Cybersecurity?”

There are three things that I recommend every organisation does, without delay:

1. Get an assessment of their current state, ideally by an external third party, but it can be done by internal staff so long as they are open-minded, encouraged and empowered to find the truth.

2. Train your entire staff (from the board to the janitor) to be aware of cybersecurity and the part that each individual plays in protecting the company.

3. Ensure that all your projects factor in time for cybersecurity and risk mitigation strategies.

It is important to note that these are not sequential steps, they can, if your organisation has the resources be run in parallel.

Conduct a current state assessment

Many smaller organisations suffer from the belief that their company is not at risk. Cybercriminals are not as discerning as that. There is a similar belief in larger companies, except they have confidence that they will be well enough protected even if they are attacked or on a cyberattacker’s list.

Unfortunately, the evidence contradicts this line of thinking. I was part of panel last year, sitting alongside the FBI and the SEC (Securities and Exchange Commission). The FBI quoted an interesting statistic: on average hackers spend over 200 days in organisation’s systems before they are discovered.

Robert Mueller, director at the FBI, said back in 2012: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

Conducting a current state assessment helps an organisation recognise where it is strong and where it needs to improve. It also helps to deploy resources to priority areas, not just to where the organisation has a particular skill or knowledge.

Raise awareness

Helping your staff understand even the basics of cybersecurity and how they can play an active part in helping to protect the organisation makes a big difference. It contributes extra pairs of eyes and ears to help organisation spot details that are out of place or unusual. It also helps ensure that staff do not become unwitting accomplices in giving hackers access to information that helps the criminals to pursue their objectives.

Such awareness training has a personal advantage for the staff as well, as the mechanisms that are used to attack companies are very often very similar to those used to target individuals and to steal their identity.

Projects are critical

This point seems to surprise some people who think that the third assessment point that I made earlier would be to introduce extra technology that will protect their company and save the day. It’s counter-intuitive in a way: we think that information technology is the problem so technology must be the solution but the fact is that projects — initiated by good old-fashioned people — are an important part of your organisation’s cybersecurity defences.

The logic for this thinking is that the areas where change is being introduced to your organisation are areas and times where a hacker may be able to take advantage. Change can have unexpected results; computer systems and human processes are complex.

To mitigate these risks, it is critical that projects and programmes (irrespective of their size or their deliverables) include time to assess and ensure that they have no unintended impacts on:

• Information security

• Cybersecurity

• Business continuity

• Disaster recovery

• Data quality

We are all in this together. From the CEO to the newly joined graduate intern we can all play a vital role in helping organisations to keep a careful lookout for the cyberpirates.

Darren Wray is the chief executive officer of Fifth Step and has more than 25 years of IT and management experience within the Financial Services and other sectors. Fifth Step operates globally from its offices in Bermuda, London and New York, providing IT leadership, change management, governance services to executives and senior managers within insurance, investment, legal and banking organisations of all sizes.