Every organization faces risks. Corporate risks come in many forms: financial, operational and security, many with a human element. Identifying and managing those risks, especially those cybersecurity risks, may not be the most exciting part of running your business, but one of the most important from both a reputation and financial perspective.
Before going any further, let's define risk. A risk is the potential for loss, damage or destruction of an asset, including your reputation, as a result of a threat exploiting a vulnerability. For example, a thief (threat) could use an unlocked door (vulnerability) to steal inventory (asset) from your organization.
Your company's cybersecurity strategy should be a process of managing cyber risks to an acceptable level. Managing that level of risk will require countermeasures be taken at all levels in order to reduce the overall risk, transfer the risk or avoid the risk completely. Measures may include implementing a new firewall, developing a backup strategy or implementing employee awareness training.
Risk management, along with your overall corporate cybersecurity strategic planning, should start at the executive level and include support from the top of the organization. Every person's appetite for risk is different, so the CEO should be comfortable with the level of risk being taken in the cybersecurity strategy. In too many cases, cybersecurity and risk management are not connected together and only becomes a priority following a breach.
A cybersecurity strategy and its implementation are the methods that a company undertakes to manage its risk. Some companies install a firewall or a password policy because a manager heard about it at an industry conference. The truth is they are good ideas and every company should implement those ideas. However, they should be implemented only because they are part of the risk management strategy of reducing vulnerabilities and addressing threats to your company.
Consider a person who has an auto accident because the person wasn't paying attention. Immediately, the individual becomes very conscious of driving properly and ensuring no distractions. However, as weeks and months start to pass, the person will likely go back to the same activities that caused the accident in the first place. Security and risk management are similar in that organizations don't pay attention to planning until a breach occurs.
Risk management should not be a one-time activity. It should be established with the help of senior leadership and cybersecurity experts and be a continuous review and oversight of the risk management and cybersecurity strategy. As an example, due to a company's regular review of risk, it may choose to outsource its accounting or email systems or upgrade its prevention tools on its network.
Perhaps the greatest strength of a company is also its greatest risk to security. The human factor or a company's employees are virtually always the greatest risk that a company will face and perhaps the one most overlooked. Immediately, most people will read that and say "I trust my employees" or "I know my employees and they wouldn't do that."
No one is saying your employees aren't trustworthy. Frankly, you would know better than me. They are still a huge risk. In a recent survey, about 35 percent of data breaches were attributed to human error or negligence. With the annual cost of data breaches up over $400 billion globally, that is a significant potential impact to your business.
It doesn't mean your employees are bad people. It means that we all make mistakes and that your employees may not completely understand technology and cybersecurity. A focus of every cybersecurity strategy should be on the human factor, working to impact the behaviors of your company's people.
For example, ransomware is a recent threat seen by many companies, where data gets encrypted and held by bad actors until you pay up for the decryption key. In nearly all of those incidents, the ransomware infected a company because someone clicked a link in an email or on a webpage. The email may have looked like it came from a legitimate source, but the end result was a large expense to the company. With employee training, the employee may have thought twice before clicking the link in the email.
When working with employees within an organization, they can truly be the boots on the ground for managing risks and improving the cybersecurity posture for a company. Employee awareness and education cannot be about trying to get employees in trouble, but there may be some of that later. You must eliminate that fear by allowing training to only be an opportunity to learn more about security.
These topics and more will be discussed at the annual Security Matters conference on April 9 in the Murray State University Curris Center, hosted by Murray State University's Center for TSM and Community Financial Services Bank. If you are a technology professional, a small business owner or just someone interested in learning more about these topics, please make plans to attend this free conference. The conference will run from 8:30 a.m. to 1:30 p.m. with a luncheon to conclude the day. You can register and learn more at www.podsecuritymatters.com.
Michael Ramage is the director of the Center for Telecommunications Systems Management (CTSM) at Murray State University. He can be reached at email@example.com or 270-809-3987 for more information.