Understanding Risk is the First Step to a Solid Cybersecurity Program

Vacations are said to provide amazing healing opportunities for stressed out humans. One can walk down the beach and watch the sunset, have one of those fruity beverages with the little umbrellas while their toes are in the sand. Or you could go on a heroic adventure saving the planet one miscreant at a time. Whichever suits your fancy, but nonetheless everyone assesses the situation and makes a plan.

We don’t tend to walk on the beach when there is a hurricane coming in or if there have been sharks spotted near-by. And we don’t go on heroic adventures if we can’t physically perform the actions which may or may not be required from us to stay alive. These decisions are both examples of assessing risk to decide if the risk is acceptable or if they’ll choose to have their hot-totty on the boardwalk. Comparatively, it is important that one deploys the appropriate protective control(s) based on the actual risk you are faced with.

The same concepts hold true in the digital business world. There is a wide variety of cybersecurity controls, such as firewalls, anti-virus agents and data encryption technologies that are designed to protect organizations from different types of cyber threats and vulnerabilities, but knowing which controls are right for you takes a little bit of planning.

Limited resources available including time, money, and personnel to properly implement the cybersecurity controls, train employees on how to use them and then maintain those controls going forward force us to be selective about which cybersecurity controls we choose to deploy. The decision to implement protective measures against cybersecurity threats should be entirely based on the informed acceptable level of overall risk. It is quite impossible to reduce the risks posed by cybersecurity threats if you do not have a clear understanding of your organization’s acceptable risk and where that might come from.

First – you must understand what some of the unique risk events are. In other words – what are the bad things that could happen because of the cyberthreats and unknown vulnerabilities that exist? Examples may include:

· An unsuspecting employee falls victim to a crafty phishing attack and accidently downloads malware that then moves through the network, encrypts all data, and demands a ransom be paid in exchange for the decryption key, which isn’t guaranteed to work properly.

· A forgetful employee leaves their company laptop in a taxi never to be seen again.

· A hacker successfully gains access to a public facing server after exploiting a previously known CVE and cracking the password using one of many tactics.

Second – you must clearly identify the likelihood of the risk event occurring. Consider industry trends, historical data (has this ever happened before?), existing controls already in place, and the unique business operations of your organization. For example – we stated above that an employee may lose their company laptop, but now we must challenge ourselves to determine how likely it is that this particular risk event will occur. An organization that has hundreds of travelling consultants is far more likely to have one of them lose a laptop than an organization that has employees operate out of a single office location.

Third – you must clearly understand both the tangible and intangible impacts to the organization should the risk event occur. Consider the health and safety of your employees and customers, the ability to continue conducting normal business operations, , organization reputation, penalties or fines, and loss of revenue. Using the same example from above - how much money and time will be spent if an employee does lose that laptop?

Understanding what bad things could happen, how likely it is that they will happen, and how painful it will be to deal with are all integral pieces of knowledge to have before making a decision about what types of protective controls to spend your limited resources on. Remember, the goal is to reduce overall risk. Figure out what specific risk events are most likely to happen and will be extremely inconvenient for you to deal with. Then decide what protective controls you should put in place to be in the best possible position to prevent those risk events from occurring.

You should not have a hot-totty on the beach when a hurricane is coming in, even with an umbrella. Make sure the cybersecurity controls you invest in will address your actual risk.

To learn more about our Risk Assessment services contact us today.