TECHNOLOGY
attempts ? Physical or Cyber ? Do you know what your employees ’ click rate for a phishing campaign is ?
2 . Next , take your most likely scenarios and look at the impact . If something were to happen in those areas , what would the business impact be ? Be specific and examine the various areas , including loss of goods , loss of productivity , an inability to serve customers , or the leak of sensitive data , be it customer , employee , or financial — most security incidents impact organizations on multiple levels .
Spell out the damage as best as you can to help gauge the magnitude . Will you be down for a few hours or weeks ? List what this will cost you in lost time and productivity , potential fines , lost revenue , and recovery costs . Then , categorize the various events or risk areas into degrees of impact , from low to catastrophic .
3 . Once you ’ ve identified your key risk areas and their impact , look at what it would take to either mitigate the situation once an incident occurs or if there is a way to protect you from that incident . Keep in mind that no policy , technology , or tool will eliminate the risk , but it should lower the likelihood or impact .
Gain clarity on what the tool , policy , or provision will do . Is it pro-active or re-active ? Surveillance cameras will not prevent vandalism , but they may provide footage to help facilitate your insurance claim , for example . Determine if a tool will protect your network or premises . Define what it will take to detect malicious activity once it ’ s begun . Know that most cyber-breaches go undetected for an average of 90 days . What is your system that will trigger a response that mitigates a virus ? Will the infected machine need to be separated from the network ? Understand that response usually requires human interaction , and an incident response plan helps define what a response should look like .
Don ’ t forget about recovery ; a solid backup solution and practice is the most prominent tool .
4 . Time to examine everything you have and identify the gaps . Where are you in good shape , almost there , or not even started ? Keep in mind that we ’ ve already prioritized based on the likelihood of something to happen and impact , so it may be OK to have large gaps in some areas if they are not focused .
Start assigning short- , mid- or long-term timelines and define potential tasks to fill the gaps . Not every tool is worth an investment . If it costs more to protect your organization than manage the incident , you might want to take the risk .
A good starting point is improving policies and procedures like instituting an incident response plan . Next are defining and disseminating standard best practices around IT , specifically documenting and enforcing them . If you are outsourcing your IT , ask your provider , they should be able to deliver that . And remember , even though tools such as employee awareness training , EDR , and SIEM or electronic access control may require longer-term planning and investment , it is worth incorporating into your budget cycle .
5 . Finally , after you have agreed with stakeholders on your risk tolerance , ensure it aligns with your strategic company and departmental goals and budgets . According to CSO Online , “ If risk tolerance isn ’ t defined , it ’ s hard for management to determine how they should invest in tools or resources to secure the organization .” ( CSO Online , May 2019 , Business Risk Tolerance ).
Take a ransomware attack , for example . While the data may be recoverable via backups , if the attackers post the information online , it could be detrimental for the company , with potentially hefty fines from regulators coupled with a loss of client trust .
Know where your risk lies and how to address it !
Contact KAIA Industry Partners Nex-Tech to analyze your current protection . ( 877 ) -625-7872 or www . nex-tech . com
46