These days, businesses collect and store an astonishing amount of data. This includes personal information about employees, customers, business partners, and suppliers.

Where once you would guard these literal stacks of data with a key or code, today the issue is much more complex. Any device used by any member of your company – be it a smartphone, tablet, laptop or desktop PC – could be the chink in your digital armour that allows a cyberattacker to penetrate your defences.

According to the government's Cyber Security Breaches Survey 2022, one in four UK businesses have reported cyberattacks this year. Of those, around a third of businesses and a fifth of charities reported that the cyberattack in question had a negative impact on their operations.

The obvious negative consequences of cyberattacks are a loss of money and a loss of data. The same survey reports that, for medium and large businesses, the average estimated cost of a cyberattack this year is £19,400.

But as well as money and data loss, cyberattacks cost companies another valuable asset: time.

In the aftermath of an attack, valuable staff time has to be redirected towards patching up the security breach, which reduces productivity. On top of that, a data leak can bruise a company's reputation.

Time, money, data, reputation – all of these are at risk if your company doesn't have proper security safeguards in place.

But whose responsibility is it?

A commonly held belief in the business world is that company policies are the responsibility of specific individuals or departments. In the event of a cyberattack, surely the obvious culprit is the IT department?

While the IT department is responsible for providing technical support, it is not, in fact, the owner or monitor of cybersecurity policies. These come from the top. IT is there to facilitate security, not to police it.

So if IT isn't to blame in the event of a cyberattack, who is?

The answer is everyone. And the reason is that anybody who's part of a company's network can be the weak link in the chain. No matter your role within the company, if you have a device, you can be targeted – and so it's on you to stay safe.

This is the case whether your company invites you to BYOD (bring your own device – an increasingly popular choice), or issues you with a device. Each employee, from top to bottom, needs to stay alert to avoid being exploited by cyber attackers.

Cyber hygiene

Of course, this vigilance is only possible if there's a culture of cyber hygiene within a company.

Yes, a central plank of this is ensuring that software and firmware are kept up to date, and this is something that falls under the IT department's purview. But without keeping staff up to date about cybersecurity, these top-down measures won't be enough.

Hackers thrive on a basic lack of knowledge. It's this that enables them to trick people into clicking malicious links that can compromise an entire company. Because of this, training is essential to keep everyone on the same page. Everyone needs to know who to contact – and what information to share – in the event of a cyberattack.

A culture of cyber hygiene could be characterised as one of healthy suspicion – a workplace where employees are equipped with the knowledge they need to smell a rat. Putting the onus on a single department is reassuringly straightforward, but it won't help build an environment where that healthy suspicion is fostered and cyber hygiene prioritised.

This includes everything from downloading links in emails to accepting unverified "friend requests" on social media, and from passwords to WiFi security.

A few examples

Let's take passwords as an example. By now, most of us are aware that passwords should be "strong", and we know what that means. But if a colleague does decide to put their name or the year of their birth as a password, you can understand why the IT department would be reluctant to take the blame.

A more complex example is phishing. This is the most common form of cyberattack, where an attacker dupes you into disclosing information under false pretences. A massive 83% of cyberattacks in the UK this year took the form of phishing.

Once you know what to look out for, phishing emails can be relatively easy to spot – a clear example of how training can keep you safe. But once trained, it's on the individual to be cautious about opening dodgy emails.

Then there's the issue of WiFi security. Public WiFi is like the wireless Wild West. Employees should always log on to a secure home network, and ideally should be provided with a VPN (virtual private network). This encrypts and anonymises data, keeping the flow of information within a company secure.

As with our previous examples, it's not one department's responsibility to ensure that everyone in the company avoids public WiFi. Rather, there is a shared responsibility to inform, facilitate, and act.

The bottom line

It's difficult to talk about cybersecurity without sounding like we're trying to scare you. But the danger lies not only in the frequency of attacks and their very real consequences – it also lies in the fact that all it takes is one person to compromise an entire business.

Everybody is responsible for your company's cybersecurity policy, but that needn't be a cause for alarm. We can help.

Our cybersecurity software helps protect from 98.5% of all cyberattacks, without the need for hefty financial investments or on-site expertise. While it's not a replacement for a healthy culture of vigilance, it can help you identify weak points and fix them before the worst happens.

And if that's not enough, we can also deliver tech tips straight to your inbox. Interested? Then sign up for our Knowledge Hub mailing list.