Cyber risk management: Navigating an unpredictable business environment
Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe Now
According to a recent report on CNBC, 66% of small companies have had a data breach in the last 12 months. The average cost of a data breach for a small company is $149k (App River), and a National Institute of Standards and Technology study found that 88% of small business owners believe their business is vulnerable to a cyber attack. To add insult to injury, according to a CYREBRO analysis, 81% of phishing attacks in the last year were targeted at SMBs.
Instituting predictable cyber risk management strategies involving people, process, and technology can help mitigate cyber risk. Cyber risk covers a broad spectrum of concerns. The truth about this unpredictability incorporates unprecedented or constantly changing events, volatility in the stock market, along with major technological, economic, and social disruptions. All of this leads to cybersecurity risks, which is a growing concern for all companies.
To address these concerns, an important distinction should be made between “compliance” and “absence of cyber risk”. What we know is that many business leaders — particularly in small and medium-sized businesses with limited resources — tend to mistakenly assume that being cybersecurity compliant is the same as being secure. Not so.
SOC 2 and or ISO 27001 compliance depends upon several factors and this process is difficult to navigate. Having cyber risk management measures in place can make all the difference. Yet even if a business has no need or desire for a SOC 2 or ISO certification they should absolutely still institute a solid cyber risk management program starting with a comprehensive cyber risk assessment. Compliance is only one piece of a comprehensive security plan.
Taking an integrated approach to cyber risk management looks like this: first you must understand your risk factors, work to mitigate them, and transfer the residual risk. All of these tasks are performed simultaneously and continuously.
Risk transfer, as previously mentioned, is implemented by purchasing an appropriate cyber insurance policy. Simply because an organization has purchased a cyber insurance policy does not necessarily mean that the specific coverage is fully understood or that mitigation strategies are in place. Cyber insurance can be confusing and it helps to have the policy coverage “translated to English, please” helps. Many small businesses don’t think they are at risk and won’t experience a cyber attack.
According to Cybercrime magazine (yes, this is a market large enough to support its very own media publication), 60% of small businesses shut their doors within six months of experiencing a cyber crime. This is a sobering statistic. And here’s another one: 80% of small businesses do not have cyber insurance.
How do businesses improve their odds for survival? The answer is by improving overall management of operational risks throughout their organization and understanding that cyber risk is business risk.
With cyber risk management, we look at your organization’s assets, threats, and vulnerabilities. What are you trying to protect from loss? Who would like to steal or destroy your assets and why? Where are your attack vectors and “unlocked doors”?
The bottom line of an overall assessment equals your cumulative risk, which is the severity of impact multiplied by the likelihood of an event. We then prioritize your risks and mitigate them, systematically. Each organization benefits by transferring residual risk to a cyber insurance policy.
Governance and risk management, and compliance, or GRC, is a series of processes to support overall organizational objectives. Taking a more holistic approach to GRC in general and cyber risk management, in particular, enables an organization to be more effective as a true business partner to small and medium-sized businesses and a responsible contributor to overall business goals.
Organizations benefit from an integrated cyber risk management approach, providing assurance to board and senior management that a GRC system is effective and high performing. This is a shift towards a continuous improvement-oriented , proactive function instead of a reactive one.
By proactively managing GRC, an organization may produce clear insights into its vulnerabilities and while knowing how to prioritize action items to mitigate cyber risk. This comprehensive cyber risk management approach gains a competitive edge and ultimately earns more business by paving the way for more collaborative relationships among stakeholders.
Cyber risk is business risk. Fortunately, the tools and processes exist to guide a healthy and robust GRC strategy, enabling success, instead of failure, when it comes to cyber risk management.
Jim Goldman is CEO & Co-founder of Trava Security and is a former FBI cyber crimes task force officer.