Let’s talk security. It’s everywhere, whether your business has 5 or 500 employees: encryption for your emails, surveillance cameras, or all the cloud services requiring multi-factor authentication. IT departments can’t get around it anymore, but it’s still a tough and complex conversation, especially when budget time comes.
People usually make buying decisions for two reasons: it will either bring a great benefit or relieve a great pain. In the consumer world it’s pretty simple—yes, that new leather jacket will make you look like a Rockstar and 15 years younger! In the business world, we call it return on investment: Whatever you’re purchasing will help you make more or save more money, either by making your team more efficient, more flexible, or your delivery system faster.
Security is a tougher buy because it usually doesn’t do either. Surveillance cameras or electronic access control can foster efficiencies. For example, you don’t have to switch locks and make new keys every time an employee leaves. But let’s face it, having to connect to your VPN each time, re-key your password again and again and then re-authenticate via your phone is not exactly a time-saver.
Security falls into the only other category we usually spend money on without making us more profitable: Mitigating risk.
This seems theoretical, that something may or may not happen in the future, so it’s easy to ignore or put on the backburner. Unfortunately, the consequences can be severe, so assessing and mitigating risk to some degree is paramount for any long-term organization. And the larger, or more regulated the organization, the more processes and resources are delegated to implementing security measures.
What gets really tough though, is when an organization is not quite at that stage, but still must take the risk conversation seriously. Maybe, some of it lies with accounting, or IT for cybersecurity, or maintenance when it comes to your premises. Each of these areas have a framework specific to their domain, and it is certainly advisable to partner with experts in the field to navigate it. Nex-Tech, for example, consults on the NIST framework, and can take a deep dive into controls such as alarms, cameras, and access.
To get the conversation started, here are five simple steps to consider when evaluating risk.
- Define your threats, assets, and vulnerabilities. Look at where they overlap. That is where your risk is. If one of your assets is a warehouse, for example, high employee turnover could be a potential threat if you use a traditional key lock system. Ask yourself, “How would a threat actor most likely get in?” By defining that, you’ve just identified a vulnerability and it’s a pretty obvious area of risk.
Once you’ve listed areas of risk, determine the likelihood of those scenarios happening. If you’re thinking about cybersecurity threats, there are a lot of different stats out there, a common one being that about 70% of SMBs have been subject to a successful cyberattack. You can also go off your own experience. Have you had any attempts at intrusion? Physical or Cyber? Do you know what your employees click-rate for a phishing campaign is? Here’s how you sign-up for a free trial to find out.
- Next, take your most likely scenarios and look at impact. If something were to happen in those areas, what would the business impact be? Be specific and examine the various areas including loss of goods, loss of productivity, an inability to serve customers, or the leak of sensitive data be it customer, employee, or financial. Most security incidents impact organizations on multiple levels.
Spell out the damage as best as you can to help gauge the magnitude. Will you be down for a few hours or weeks? List what this will cost you in lost time and productivity, in potential fines, in lost revenue, and in recovery costs. Then, categorize the various events or risk areas into degrees of impact, from low to catastrophic.
- Once you’ve identified your key risk areas and their impact, look at what it would take to either mitigate the situation once an incident occurs, or if there is a way to protect you from that incident. Keep in mind that no policy, technology, or tool will eliminate the risk, but it should lower the likelihood or impact.
Gain clarity on what the tool, policy, or provision will do. Is it pro-active or re-active? Surveillance cameras will not prevent vandalism, but they may provide footage to help facilitate your insurance claim, for example. Determine if a tool will protect your network or premises. Define what it will take to detect malicious activity once it’s begun. Know that most cyber-breaches go undetected for an average of 90 days. What in your system will trigger a response that mitigates a virus? Will the infected machine need separated from the network? Understand that response usually requires human interaction, and an incident response plan helps define what a response should look like.
Finally, don’t forget about recovery, a solid backup solution and practice is the most prominent tool.
- Alright, now is the time to examine everything you have and identify the gaps. Where are you in good shape, almost there, or not even started? Keep in mind that we’ve already prioritized based on likelihood of something to happen and impact, so it may be OK to have large gaps in some areas if they are simply not the focus at this point.
Start assigning short-, mid- or long-term timelines and define potential tasks to fill the gaps. Not every tool is worth investing in. If it costs more to protect your organization than manage the incident, you might want to take the risk.
A good starting point is improving policies and procedures like instituting an incident response plan. Next are defining and disseminating common best practices around IT, specifically documenting and enforcing them. If you are outsourcing your IT, ask your provider, they should be able to deliver that. And remember, even though tools such as employee awareness training, EDR and SIEM or electronic access control may require longer-term planning and an investment, it is worth it to incorporate into your budget cycle.
- Finally, after you have agreed with stakeholders on your risk tolerance, ensure it aligns with your strategic company and departmental goals and budgets. According to CSO Online, “If risk tolerance isn’t defined, it’s hard for management to determine how they should invest in tools or resources to secure the organization.” (CSO Online, May 2019, Business Risk Tolerance).
Take a ransomware attack, for example. While the data may be recoverable via backups, if the attackers post the information online, it could be detrimental for the company with potentially hefty fines from regulators coupled by a loss of client trust. Athens Orthopedic is still involved in a lawsuit following a 2016 breach: https://healthitsecurity.com/news/georgia-revives-patient-breach-lawsuit-against-athens-orthopedic.
Know where your risk lies and how to address it – let’s talk today!