Do you think you’re prepared to prevent or respond to a cyber attack?
Louis Pasteur once famously said, “chance favors the prepared mind.” According to the FBI’s recently released 2018 Internet Crime Report, cybercrime cost businesses $2.7 billion in 2018. Many victims probably thought they had things under control. They were obviously wrong. Why is that? What can you do to avoid becoming a statistic?
First: Know the Risk of a Cyber Attack (Don’t Ignore It!)
Managing risk first requires an accurate picture of what the risk is. Many people stumble here because they don’t fully understand cyber risk. They think cybersecurity is somebody else’s problem. They aren’t a target. It can’t happen to them.
The truth is Ignoring the risk makes it impossible to manage. It’s the worst thing you can do and the quickest way to becoming a statistic. You can’t change what you don’t acknowledge.
The first thing to understand is that all organizations using any technology have a cybersecurity risk. The challenge is to obtain and maintain an understanding of what your particular exposure. It is essential to understand what threats you face and how likely they are to impact you. It may be worthwhile to pay for external expertise or hire the right skills into the organization to determine your security posture.
Then: Manage the Risk of a Cyber Attack
Once you’ve correctly defined the risk, you can take action to avoid it, accept it, transfer it, or mitigate it.
Avoid the risk
Avoiding risk sometimes make sense. You recognize the risk exists and are not ignoring its impact, but instead, you take logical steps to avoid it. For example, continuing to run a system which is beyond its supported end of life is risky because you cannot patch it. Choosing a policy to only operate supported systems in production is a way to avoid this risk.
Transfer the risk
Transferring risk is an option for certain situations where it is feasible to move a risk or impact to somebody else. Cyber insurance is the most common example of this. While an organization with cyber insurance must still manage its own risk, you transfer the impact of a realized cyber risk (e.g., a cyber incident) to an insurance company.
Mitigate the risk
Mitigating cyber risk is what most people think of when they try to define what cybersecurity is. They think of things like firewalls, antivirus, intrusion detection, etc. Mitigating cyber risk involves implementing controls which reduce risk to the acceptable levels. Two of the most common errors people make include misunderstanding how much risk a given control will reduce, and improperly assessing whether or not it is effectively working. This is where it pays to have cyber expertise to assist you. A false sense of preparedness can result when either one of these things holds true, particularly for more critical controls.
Accepting the risk
Accepting risk is something all organizations must do to some extent. The simple reason why is because it is impossible to eliminate all cyber risk. Risk acceptance is only effective to the degree you understand the level of risk you’re accepting, as well as what your risk tolerance is. You generally determine your risk tolerance when performing a cost-to-benefit analysis of a particular risk mitigation strategy. It’s the place you end up when you’ve decided what you’re willing to do or spend to achieve risk reduction.
Key Takeaways for Businesses
To keep your organization from becoming a statistic, the most important thing you can do is to think about cybersecurity strategically. Understand your security posture and create a risk management plan. If you don’t have confidence in your assessment, you can always seek outside expertise to assist you or validate your approach. Recognize that your security posture is dynamic. Controls can quickly become ineffective if there aren’t checks and balances to make sure they stay in place.
Lastly, plan for the worst case. If cyber incidents do occur, think through how you would respond. How would your organization contain a technical threat? What do you tell your customers? Do you have disclosure requirements? The quickest way to becoming a statistic is to wait until it’s too late. Remember, chance favors the prepared mind.