According to a recent report from SIM IT Trends, many enterprise organizations are not doing all they can to protect themselves from online criminals and hackers. Forty-six percent of organizations don’t have a Chief Information Security Officer and only sixty percent of organizations require security training of all staff.

In order to make security a prominent part of an organization’s culture, someone with knowledge of and responsibility for security should be near the top of the org chart. They must be able to craft security policies and have the authority to implement them. Otherwise, it’s a certainty that other priorities will take precedence.

We wrote earlier this year about hyperbolic discounting and how it impacts security decision-making. One of the reasons organizations need to place security experts in positions of power is to counter the natural urge to postpone thinking about security until other priorities have been addressed. Without a firm hand, there never will be a time where security trumps user acquisition, marketing, and revenue-generating activities.

But having a security expert in the C-Suite isn’t enough. In a modern business, every employee interacts with information systems that, if misused, can lead to serious compromises of operational security and data privacy.

Phishing is a prominent example. As I write this article, the news media is full of stories about how the recent election was influenced by data leaked as the result of a phishing attack. The exact details will no doubt be revealed over time, but there’s no denying that a successful phishing attack can have a massive impact.

Unfortunately, without training and adequate incentives for employees, any organization that attracts the interest of online criminals is at risk of succumbing to a phishing attack.

All it takes is for an employee to absent-mindedly click a link in the wrong email and the company is wide-open to attack. The best way to deal with phishing emails is to filter them before they ever reach employees, but that only works if combined with training to make employees aware of the potential risks.

shadow-IT

Shadow IT was also a growing problem in 2016. Some employees will, even in the face of strict instructions to the contrary, seek out what they consider to be the best tools. They want to be productive and if the tools sanctioned by IT aren’t adequate, employees will seek alternatives.

In an era of ubiquitous mobile devices and cloud platforms, they don’t have to look far to find tools better than the bloated enterprise software sanctioned by the company.

IT professionals take their responsibility for privacy and security seriously, but they must be supported by the C-Suite and security-aware employees who can access secure cloud infrastructure and applications that enhance productivity.