Managing and Investing in Your Company's Cybersecurity

As a continuation to the previous Business Leadership Series on cybersecurity, Scott Shackelford and Aswin Unnikrishnan presented on “Managing and Investing in Your Company’s Cybersecurity.”

It is estimated that 90% of successful breaches use the most basic techniques, including social engineering. In addition, most cyberattacks are not discovered immediately. In fact, 85% of cyberattacks take an average of 5 months for an organization to find.

Scott suggests that the key to managing cyberattacks is from the bottom up by exposing technical vulnerabilities: hardware, protocols, code, users.

Aswin Unnikrishnan agreed with Scott and also added that SMEs can take 7 critical steps:

  1. define business goals
  2. perform security risk assessment
  3. identify the current security maturity and gaps
  4. review top 10 client contracts to understand the security requirements
  5. engage with information security consultants to identify relevant compliances and standards
  6. determine the security maturity to be achieved
  7. define a roadmap to achieve desired security maturity

In addition, Aswin stressed the importance of training employees, security risk assessment, and obtaining a managed security service provider.

Both speakers agree that its beneficial for small businesses to invest in cyber risk insurance because of business loss, penalty and damages, litigation cost, and loss of goodwill. While an attack cannot be prevented, precaution helps reduce the impact. Moreover, the increasing cost of breaches is expected to be 6 trillion in 2021. The amount of insurance a business should obtain depends on the tools used and the size of the organization and the model adopted. For example, healthcare and finance are two critical industries that need to carefully evaluate their cybersecurity and insurance.

While the US has some state laws related to cybersecurity including State Data Breach Notification Laws, State Data Security Laws, State Disposal Laws, State anti-hacking laws, this is not sufficient on its own. Businesses should practice private-sector cybersecurity best practices. These include being proactive and investing in built-in cybersecurity best practices from the inception of a project. These 3 best practices include encryption and sophisticated technology, investments in cyber security, and a strong organizational structure. This reduces the risk of a cyberattack by 85%.


Scott Shackelford
Cybersecurity Program Chair, Associate Professor of Business Law and Ethics Kelly School of Business, Indiana University
Aswin Unnikrishnan
Head of Cybersecurity Operations Paramount Software Solutions, Inc