Cybersecurity Is Everyone’s Business

Key Takeaways

• Enterprise Accountability: Cybersecurity must be treated as a core business risk, with executive leadership and the board responsible for governance, oversight, and adequate resource allocation.
• Communication & Oversight: Siloing cybersecurity within IT leads to poor communication, limited understanding of business risks, and underinvestment in critical protections.
• Security Culture: Building a strong security culture helps prevent insider threats through continuous employee training, behavioral monitoring, and accountability at all levels.
• Vendor Risk Management: Third-party vendors often pose significant cybersecurity risks – organizations need thorough due diligence, strong contractual security clauses, and ongoing monitoring to mitigate exposure.
• Proactive Defense: Implementing zero-trust principles and supply chain threat modeling helps identify vulnerabilities early and strengthen protection against complex, large-scale attacks.

Every organization’s future depends on treating cybersecurity as an enterprise responsibility, not just an issue that the IT department needs to deal with. Cybersecurity incidents do not just stem from technology. This article will discuss the organizational behaviors that increase the risk of a cybersecurity incident and strategies to reduce those risks.

Assigning Cybersecurity to the IT Silo

Common Conditions

Cybersecurity headlines often emphasize malware, phishing, and zero-day vulnerabilities. What they do not highlight are the human and organizational aspects that resulted in the incident. As a result, organizations relegate cybersecurity to IT. Since only IT is held accountable, there is generally poor organization communication and understanding of the business risks. This results in not adequately investing in cybersecurity and limited executive understanding of their accountability and the need for oversight.

Strategy to Mitigate this Risk

Treat cybersecurity as a high priority business risk. Make executive management and the board responsible for oversight. Include cybersecurity as a key line item for governance and risk management functions within the organization. Allocate resources to cybersecurity and hold the entire enterprise accountable. Require reporting on cybersecurity risk areas and understand if those risks are adequately mitigated.

Security Culture

Common Conditions

Lack of a security culture can increase an organization’s chance of insider risks. According the 2025 Ponemon Insider Threat Report, “the cost of insider risks continues to rise.” The Ponemon report identifies the cost of insider threats by the risk profile.

The Ponemon report highlights the human factors that contribute to the rising costs related to insider threats. These include insufficient employee training, as well as a lack of employee understanding or compliance with the organization’s requirements related to security, confidential data, and maintain current patched and upgrades.

Strategy to Mitigate these Risks

Establish an insider threat program that addresses both the human and the technical contributors to insider threat management. Key components of the program include:

• Designate a Senior Official responsible to implement and oversee the program and make them accountable to report to the oversight body.
• Leverage human resources records related to ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. Evidence shows that types of insider crimes are often preceded by nontechnical behaviors in the workplace.
• Provide insider threat awareness training to employees. Stress the consequences of behaviors that may result in a breach. Train the employees to identify and report red flags that may result in a breach.
• Conduct host-based user monitoring of individual employee activities both physical and digital.
• Conduct self-assessments of insider threat posture.
• Consolidate monitoring and use AI driven tools to support the analysis of the monitoring and surveillance data.

Third Party Vendor Management

Common Conditions

Third parties frequently are the weak link that results in a breach. Two recent examples include:

Leidos Data Breach: In November 2022, Diligent Corp notified Leidos Holdings, a major DOW contractor, that data they hosted for Leidos was stolen. The cause was vulnerabilities in platforms operated by Diligent Corp, a third-party vendor used by Leidos for internal investigations and case management. The breach exposed documents submitted via Leidos’ Enterprise Case Management System (ECMS)—used by non-IT staff, such as compliance officers, HR personnel, and internal investigators. These documents included personal information and potentially sensitive project details related to Pentagon contracts.

SolarWinds Software Supply Chain Attack: This attack impacted 425 of the U.S. Fortune 500 companies, the top ten U.S. telecommunications companies, the top five U.S. accounting firms, all branches of the U.S. Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide. Key recommendations from the Center for Internet Security (CIS) emphasize the human components related to the breached. They include, 1) remind users not to visit untrusted websites or follow links from unknown sources, 2) educate users on the threats posed by hypertext links or attachments, apply least privilege to all systems and services, and always run software as a non-privileged user.

Strategy to Mitigate these Risks

Third party data breaches are not mitigated by the technology that an organization has deployed within their organizational boundaries. This risk requires a robust vendor management due diligence and monitoring program within an organization. In addition, it is important to include contractual security obligations and breach notification clauses.

Supply chain attacks, as demonstrated by the SolarWinds breach, are hard threats to prevent because they take advantage of trust relationships, such as communication channels and update mechanisms. Supply chain threat modeling is one way that an organization can proactively assess risks and take steps to prevent attacks. Where risks are identified, consider applying zero-trust principles to applications and servers, as well as the user base.

Summary

The sophisticated cybersecurity threats, from ransomware to supply chain breaches, target not just systems but entire business operations. If cybersecurity is still siloed within an organization’s IT department, it is time to evolve. Protecting an organization in today’s digital landscape requires broad leadership engagement, enterprise-wide policies, and shared responsibility across every function.

For more information on cybersecurity, please reach out to Partner David Hammarberg or Director Elaine Nissley.

About the Author

Related Services