Did you know that 66% of Small to Medium Businesses (SMBs) have experienced a cyberattack in the past 12 months? With SMBs facing increased, targeted, and harmful cyberattacks, we wanted to provide some useful guidance on this topic. We are presenting a two-part series reviewing how SMBs can reduce exposure to cyberattacks through Cybersecurity Risk Management. In part one, Brad Sprague, Leader of Account Management at Systems Engineering, reviews practical ways to address and measure risk.
Modern risk and how it has changed.
It is not uncommon these days to see major cybersecurity and disaster events happening right in our backyard. One recent event involved a local company in a ransomware attack. The cybercriminal deleted critical backup files then proceeded to encrypt the customer's data. The ransom demand was to pay many thousands of dollars to decrypt. In another local event, an organization experienced a major technology failure. This failure, along with persistent neglect of crucial backups lead to extensive amounts of critical data loss. Once a company encounters a major disaster event, the need for risk management is suddenly realized. Companies then reach out in despair for help. In many cases the risk could have been avoided or mitigated with proper planning.
Before the days of the cloud (pre-2008), risk was generally associated with a physical facility disaster like a fire, flood, or nor'easter. Since everything lived within the company's four walls (servers, files, applications, etc.), an event like a building fire could mean absolute devastation. To mitigate that risk, appropriate controls were put in place for the situation, such as off-site backup tapes (air-gap solution) and disaster recovery centers.
Now more than a decade into the cloud era, and we see that risks and disasters look very different for an organization. When we planned for disasters back in 2008, like fire or floods, the chances of that occurring were not highly likely. Today, the disasters we plan for are actually happening regularly in the business community. These highly disruptive events come in many different forms. We see identity theft, ransomware attacks, social engineering, and major internet outages impacting businesses of all sizes. On top of that, we're seeing state-sponsored actors and pandemics actively threatening businesses. The disasters look different, and the likelihood of one occurring is much higher than ever.
Framework to Approach Risk
At a high level, there are four ways we can approach and address risk. We must have a thorough understanding of the risk in question and the potential impact that it can have on our business.
1. Accept – Don’t do anything.
Decide it is an acceptable risk, but make that a fully informed decision.
2. Avoid – Eliminate risk.
For example, don’t allow remote access since it is too risky. You can also consider not getting into a particular line of business entirely, i.e., decide not engage with hospitals as customers because we find HIPAA regulations to be too costly and the risk of non-compliance to be too high. Risk avoidance is typically the most expensive path.
3. Transfer – Give risk to a willing 3rd party.
Transfer risk to another 3rd party (Payroll service, Cyber/E&O/GL Insurance) that only protects a specific data type. Be aware that you're not transferring all of your responsibility. You still have reputation risk if you have a breach, for example. This is where the idea of shared responsibility comes in. It is part of your due diligence to ensure the 3rd party provider is also doing their part to properly secure and backup data in the event of a failure or breach.
4. Reduce – Put technology controls in place.
This is where Systems Engineering prefers to focus. We find ways to enable companies to engage in the business that they want to and allow their employees to work in the most efficient and satisfying manner possible. To accomplish this, we leverage technologies, policies, and training that reduce the associated risk to an acceptable level.
How to Measure Acceptable Risk
Once you have established a framework to classify risks, it is necessary to explore your risks. Take inventory of all the disaster events you can think of, and rank them against business priorities. We put together a sample “Acceptable Risk” chart to outline what this type of exercise might look like in a typical organization.
This is an effective whiteboard exercise that can be done in-house to give each known risk a useful score. This scoring system gives management a way to look at acceptable risk and a way to logically address what needs attention. In our example, we listed out all potential cybersecurity risk events for a typical company. Then we weighed the likelihood of the event happening and the perceived impact the event would have on the company. Each event was given a score of 1-5, with 5 being the highest. Once listed out, a simple formula was applied to calculate the overall risk:
Risk = Likelihood x Impact
Click Template to Download PDF
Using an exercise like this is an essential first step to determining the individual risks within your company. We know that risks are always evolving, so doing an Acceptable Risk assessment should not be a one-time exercise. There may be risks that were not initially considered, or a major company procedure may have changed, since the last cybersecurity risk assessment (moving files from an on-premises server to the cloud). If you would like to try this exercise to assess your own company risks, we created a downloadable PDF template to use as a guide in your own whiteboarding session.
Once you calculate the risk scores for the individual events, you may feel a bit overwhelmed by the results. It is not an easy task to keep sight of what is important, and to know what to address and when. In part two of this series, we will walk you through a framework for addressing and reducing cybersecurity risks and vulnerabilities in your organization. Stay tuned!
If you have any questions on the process for identifying and rating your company risk, please reach out to your account manager, or email us at email@example.com.
Brad Sprague is the leader of Systems Engineering's Account Managers. For over 16 years, he has worked closely with clients to develop their strategic plans, multi-year budgets, and IT support plans.