Security Awareness — Not Just an IT and Compliance Responsibility

Marisa Polowitz

Associate Editor

Loyola University Chicago School of Law, JD/MPP 2023

Since the start of 2021, cyber-attacks have dominated headlines across every industry. From governments and government organizations, healthcare companies, and banks, to gaming companies and oil pipelines, ransomware has impacted organizations of all types and sizes. The scale and scope of these attacks have continued to grow and have far reaching consequences. Despite current agency attempts to strengthen cybersecurity through regulation, individual users continue to pose a serious threat due to insufficient security education.  

Who is responsible for protecting an organization from cyber-attacks?

Traditionally considered the domain of information technology (“IT”), security of the data collected and/or stored by an organization has expanded far beyond IT and well into the concerns of those on the business side. Privacy, security, and compliance have become inextricably intertwined with regular business. While an organization’s IT security department can, and should, build robust technical protections to secure data, a daily recurring and grave risk to security arises with a system’s users.

Social engineering, an attack leveraging human interaction to gain entry to an organization or its systems, relies on the actions of what is often the weakest point in a security program – the individual. Ransomware is commonly delivered via the social engineering tactic of phishing emails. While the Federal Bureau of Investigations (“FBI”) noted substantial a rise in ransomware attacks since 2016, but 2020 and 2021 have shown an unprecedented increase in the frequency, scale, and impacts of ransomware attacks. In 2020 alone, ransomware losses were estimated at over $29.1 million. Victims of phishing attacks (and its voicemail/phone/text counterparts) numbered over 240,000.

The National Institutes of Standards and Technology (“NIST”) created cybersecurity guidance for industries such as healthcare, financial services and banking, retail, and architecture/engineering. These organizations are strongly encouraged to provide regular security education for all employees, system users, and anyone accessing the organization’s network. Traditionally, organizational training necessary to satisfy regulatory requirements has been the responsibility of compliance departments. IT security has long been viewed as solely within the domain of IT departments.

Technology is fully integrated into business functions

As more elements of daily life are completed online, organizations have more to protect, and systems are becoming increasingly vulnerable to cyber-attacks. The days of security awareness as purely a compliance and IT concern are over. The cybersecurity threat no longer pertains only to credit card data and protected health information – entire electrical grids, hospital systems, and other essential services rely on the security of technological systems. As evidenced in the Colonial Pipeline hack, amongst other examples, if a tool is connected to the internet, it’s vulnerable.

Bad security education practices have impacts far beyond the IT department – a lack of security awareness can cause major real-world issues. Along with an increase in ransomware attacks, the average demand amount has increased as well. Colonial Pipeline paid over $5 million in ransom, while the meat-packing company, JBS, paid $11 million in ransom after cybercrime forced them to close facilities due to ransomware. The cascading impacts of cybercrime have prompted the federal government to respond. The US Senate put forth a bill requiring both public and private entities to report security breaches within twenty-four hours and included penalty increases against cybercriminals in its infrastructure package. The White House issued an Executive Order focusing on improving cybersecurity across the U.S. The message is clear: cybersecurity has become everyone’s issue. A proactive response to that call is expansive, robust, and increases attention to cybersecurity awareness across all sectors.

Owning the responsibility of meaningful stewardship

Education systems, oil pipelines, electric companies, healthcare providers, governments – virtually every sector is internet-dependent, and therefore every sector is vulnerable. Each individual user within a network poses a potential threat to the system’s security and should in turn be considered a steward of that system. Through the lens of meaningful stewardship, individuals accessing an organization’s network should be required to complete security awareness training, and those with access to sensitive systems or tools should be required to complete awareness programming commensurate with the risk presented by that access.

To improve cybersecurity across all sectors, organizations must acknowledge that security is no longer solely the domain of the IT team, nor is security education strictly a compliance responsibility. Everyone at every level of organizations should be provided with education teaching them responsible internet hygiene. Ultimately, security awareness education must become a high business priority, and the responsibility of keeping systems secure must be shouldered by everyone, at every level.