Action Plan For Linking Cybersecurity To Pay

Following major cybersecurity-related incidents, Microsoft has linked employee pay to cybersecurity. Employees will now need to record their commitment to cybersecurity as proof of meeting the new employee evaluation criteria, with impact relevant to technical, customer-facing, partner-facing, and other roles. Insufficient contributions to cybersecurity may affect promotions and compensation.

Linking cybersecurity to pay is an indication of the importance that is now attached to cybersecurity in promoting stakeholder value as employee compensation is usually aligned with business results to ensure the core objectives of an enterprise, as a profit-generating entity, are met. Cyberattack concerns are not hypothetical – it is established that cyberattacks can significantly impact financial results.

While linking cybersecurity to pay is a welcome step, enterprises must first ensure they have the appropriate physical, digital, and human infrastructure in place to ensure that employees will be able to have a positive impact on cybersecurity. I propose this action plan for businesses to create a cybersecurity-oriented operating environment.

Cybersecurity Action Plan

1. Create a Comprehensive Cybersecurity Policy – The organisation’s approach to cybersecurity must not be vague or undefined, as most employees are not cybersecurity experts and will need to be made aware of what their obligations are with respect to business cyber protection. A cybersecurity policy that defines roles, responsibilities, and standards will help employees navigate their security obligations. The policy must stipulate penalties and the penalties must be enforced to avoid non-compliance
2. Deploy Cybersecurity Infrastructure – Enterprises face a barrage of cyberattacks and employees will need to be supported by appropriate infrastructure to defend against such cyberattacks, similar to how security personnel who face physical attacks need protective gear. Enterprise cybersecurity infrastructure may include Endpoint Protection, Extended Detection and Response (XDR), Multi-Factor Authentication (MFA), Network Firewalls, Security Operations Centre (SOC), Zero Trust Network Access, Behavioural Analytics, Deception Technologies, or other cybersecurity solution depending on the organisation’s scale of operations, compliance obligations, geographical spread of operations, support for Bring Your Own Device (BYOD) or hybrid work, platform diversity, and other factors that impact cybersecurity
3. Conduct Cybersecurity Assessments – Cybersecurity audits and assessments, which can range from focused assignments like firewall hardening to broader exercises such as Vulnerability Assessment and Penetration Testing (VAPT) and Red Teaming & Penetration Testing, help enterprises identify and close gaps in cyber defences before threat actors can exploit them. Such assessments will need to be conducted periodically as weaknesses in cyber defences may arise as the organisation’s IT infrastructure and cyberthreat landscape evolve
4. Ensure Cybersecurity Compliance – The disruption and privacy violations caused by cyberattacks have resulted in cybersecurity and data privacy regulations that are nation- and industry-specific, such as ISO 27001, ISO 27018, ISO 31000, ADHICS, GDPR, HIPAA, and NABIDH. Establishing a robust Governance, Risk, and Compliance practise within the enterprise will help maintain compliance across jurisdictions and avoid stringent penalties and brand impairment
5. Implement Continuous Monitoring – All digitally-enabled enterprises operate in the sphere of big data and the volume and velocity of their data represent digital risk. Maintaining the integrity, confidentiality, and availability of systems and information is a critical aspect requiring the increasingly digital world to adopt a Defense-in-Depth strategy. Securing data and digital infrastructure is not a one-time activity; continuous monitoring, which may be implemented through an in-house team or outsourced to experts, is required to identify potential threats and threat signals in real time and continuously improve the organisation’s cybersecurity posture
6. Backup Data – In a world where data is the new gold, it must be protected against intentional destruction (cyberattacks), accidental destruction (human error), and media destruction (hardware failure). Follow the 3-2-1 rule: Maintain 3 copies of data, stored on 2 types of media, with 1 copy maintained offsite. A data backup is useful only if it can be restored; periodically attempt data restoration to check how quickly and effectively the enterprise can recover from data destruction
7. Prepare an Attack Mitigation Plan – Enterprises should assume that a cyberattack will be successful and prepare a plan to mitigate the impact of the attack which should cover technology measures, compliance, and communicating with internal and external stakeholders
8. Provide Cybersecurity Training – Employees should receive periodic training that addresses the threats they are likely to encounter in the discharge of their responsibilities. All employees should receive training on cyber hygiene and spotting phishing attacks; IT teams should receive advanced training on maintaining cybersecurity; and decision makers should be trained on defending themselves against whaling attacks that are customised to target them
9. Maintain Cyber Insurance – An insurance policy that covers cyberattacks can offset the losses incurred due to an attack, subject to exclusions in the policy. Insurance providers may stipulate cybersecurity requirements the enterprise will need to comply with to obtain insurance cover

Linking cybersecurity to pay is a good idea in principle, but execution is key to its success. Digital infrastructure is complex and therefore cybersecurity is complex. Employees are just one link in the cybersecurity chain and cannot be made responsible for cybersecurity without appropriate resources from their organisation. This action plan will ensure that employees are adequately supported to meet their cybersecurity obligations and can be financially incentivised to maintain digital security in the enterprise.

K7’s enterprise cybersecurity solutions help your organisation create a secure environment for business operations. Contact Us to learn more about how we enable businesses to pursue growth strategies without fearing cyberattack disruption.