Leveraging Technology Has Its Risks, But How Big Are They?

Modern businesses tend to rely heavily on technology to support their day-to-day activities and provide competitive advantages. Leveraging technology can be a great decision, but it can create additional risks that require proper management. Adopting a good cybersecurity risk management program will help you methodically identify risks so you can safely and securely exploit digital technologies.

There are 3 main principles of a cybersecurity risk management program:

1. Risk Analysis

2. Risk Assessment

3. Risk Mitigation

A risk analysis is the process by which you identify and analyze potential threats in order to understand how vulnerable your organization is. Once you identify which risks are relevant to your business, a risk assessment focuses on the risks that both internal and external threats pose to your data availability, confidentiality, and integrity. Once you’ve analyzed your risks and assessed their potential impact, you can then build a risk mitigation strategy to prepare for and lessen the effects of these threats on your business.

Avoid, Reduce, Transfer and Assume

Some risks just aren’t worth taking on at all. There are many situations that could have associated risks that far outweigh the potential gain. In these cases, it makes the most sense to change your plans completely and avoid taking on such activities. Suppose you were starting up a white-water rafting company and couldn’t afford enough lifejackets for all your explorers. Would you selectively hand out the lifejackets to just the clumsy ones because they are the most likely to go for a swim? In the cyber world, this would be equivalent to starting an online store without a proper web application firewall. Although you may get away with it for a while, you just shouldn’t do it!

To reduce the risk does not necessarily mean to eliminate the risk. When asked, many people view all risks as bad and you should avoid taking on any risk. However, not taking any risk may mean losing out on opportunities and preventing you from maximizing your gains. You don’t want to eliminate all risk; you want to reduce the risk to a level that is acceptable for your company goals.

This is considered a residual risk and exists in every business. For example, if you are in the lending business, you wouldn’t lend money to people without first doing a credit check. This would be like allowing any computer on your network without first validating patch levels and endpoint protection. This would expose you to all kinds of unwanted threats and increasing your risk to unacceptable levels.

A growing trend in risk mitigation is to transfer the risk to a 3rd party via contract or policy. As companies rely more and more on contractors and vendors, transferring risk and liability has become much more common. Examples are outsourcing your cybersecurity program to a Managed Security Service Provider (MSSP) and purchasing Cyber Insurance from an insurance company. With all the breaches hitting the news on a regular basis and countless others that aren’t getting reported to the media, purchasing Cyber Insurance is becoming a necessary part of life like purchasing home or auto insurance. You can’t predict and mitigate every threat so purchasing insurance is a great way to protect your business against the cost of recovery from a cyber attack. Stats say it will happen so it’s best to be prepared! We recommend that you start with a Cyber Insurance Readiness Assessment before approaching an insurance provider.

Under some circumstances, the costs or efforts to protect, mitigate, or insure far outweigh the impact of any remediation when the risks are well known. In these cases, accepting the risk may be your best option. However, you need to have a good understanding of the risk and the potential impact if it gets exploited.

This isn’t the residual risk that we talked about in prior sections. This is the choice to forgo any efforts to address a particular risk and senior management has decided that the risk can be documented and assumed. As a cybersecurity manager, you will want to thoroughly document this one and make sure you get a clear sign-off. All too often, the cost to react to a critical situation is far more expensive and impactful than anticipated. This could be the riskiest of the options and could end up being the most expensive if you aren’t careful.

Building a proper Cyber Risk Management program doesn’t have to be difficult or expensive. A good program will take into consideration your business goals, objectives and budgets. If you would like more information about protecting your business, please contact us for a consultation. We’re here to help!