4 Steps to Assess & Mitigate Cyber Security Risks

As more and more resources are being dedicated to cybersecurity and breach prevention, the bad actors are increasingly diverting their hacking activity towards soft target smaller businesses that are easily accessible, more vulnerable, and relatively unprotected.  So it’s important to understand and manage your cyber risks before your business is compromised.

As a business owner or leader in an organization, you may not be aware of what happens to the information your employees, customers, vendors, and suppliers have access to.  It’s likely you may not even be able to state with confidence where your most important data is held – whether it’s onsite on servers and desktops, in the cloud, on mobile devices, or even flash drives.  So where do you start?

1. Identifying, documenting, and communicating asset vulnerabilities

The first step in your cybersecurity risk assessment should be to determine and understand what makes your business attractive to cybercriminals and where your main vulnerabilities exist.  More often than not, customer data is likely to be your biggest commodity at risk.

Ensure you have a thorough IT Asset Inventory with all hardware, operating systems, and applications running documented, and start with some basic questions, such as; “what information do we collect?”,  “how do we store information we collect”, “what is the value of sensitive data or revenue-generating systems that are internet accessible?”, “who has access to it?”.  You should then examine how you currently protect your data, and how you secure your computers, network, email, and other tools. 

2. Identifying and documenting internal and external threats

 It’s important to do your research and familiarize yourself with the common forms of cybercrime and how they are perpetrated – the tactics, techniques, and procedures used to target entities; such forms as phishing, identity theft, hacking, and malware.  While external threats are common, you should not focus exclusively outwards, you should acknowledge the potential for a disgruntled or heavily indebted employee to steal intellectual property or commit cyber-enabled economic fraud.

3. Assess your vulnerabilities

Having network infrastructure and assets vulnerable to known and unknown risks is dangerous.  But the question is, how do you find out the threats and your existing vulnerabilities?  

There are a growing number of tools that you can use to scan your network to determine what services you are running, to determine whether or software versions are up to date, and to look for known vulnerabilities.  There are also tools that will allow your IT administrator to run pre-defined exploits (threats) against your own systems and force attacks against your end users to assess their resilience.  You may even go one step further and appoint an outside security specialist to gauge your company’s resilience through penetration testing. 

4. Identify potential business impacts and prioritize your risk responses

 Carry out a business impact analysis to determine the effects or consequences – financial, operational, privacy, and reputational – of a cyberattack on your business and who would be affected.  If you have a business continuity plan, you should already have a clear picture of costs associated with IT failures or business interruption.   If not, a specialist can guide you through this process.

 Once you understand the potential impact of a cyberattack on your business, you can start to prioritize how you will resolve any immediate flaws in your security.  If you make changes to your system security, test them to ensure you have not only closed the holes but that the changes haven’t negatively impacted any of your other systems.  Since people can be your greatest security liability, ensure rules and best practices are documented in policies and undertake a regular program of staff education on the risks that come from today’s ways of doing business.

The bottom line is...

Every company faces cyber risk, no matter its size.   The bigger you are, the more areas of vulnerability you have.  Since there is no way to protect your business 100% from attempted cybercrime, you need to be prepared in the event of an attack.  

Cyber risk is insurable; cyber insurance is designed to protect your company from damages associated with Network Security, Privacy, and Network Business Interruption.  Talk to an Ansay & Associates team member today about your cyber insurance options!

 

 

Mike Anderson

Strategic Risk Manager

Port Washington - Corporate Headquarters

mike.anderson@ansay.com