Security – Do You Know Your Digital Risk?
It should be little surprise that rapid technological advancement and increased global connectivity have fundamentally changed the way the world functions. While it has allowed businesses to benefit from higher worker productivity and improved customer satisfaction levels, it has also provided a new area of vulnerability that needs to be addressed. While customers may love the prospect of being able to make purchases from the comfort of their own home using the internet, they’ll be incredibly irate if that same payment information was ever compromised and fell into the wrong hands. So, does growth inherently have to be tied to these increased risks?
Not if managed properly.
Security challenges within these increasingly digital environments can be addressed, but first they need to be identified. It can be an uncomfortable experience to stare directly at your own weaknesses, but it’s necessary to be able to design your security measures and controls, and ultimately incorporate them into the way you do business long term. Here are some of the different types of digital risks your IT support should be able to identify, and which once resolved should give you that always important return on investment.
Types of Digital Risks
Disruptive technologies bring change, and their rapid adoption has presented an abundance of both rewards and risks. Cybersecurity, for all of its headline grabbing moments, makes up only a small portion of the issues that need to be addressed. In the broader category of digital risks you need also to consider physical, technical, and administrative risks.
The risks most commonly encountered, and therefore the most important to prioritize include:
- Compliance risk: New regulatory requirements can emerge at any time, regarding data privacy, organizational standard of practice, where your data is permitted to be stored, etc. Violations are often subject to hefty fines, or revocation of certain accreditations which can drastically impact the functioning of your business.
- Business continuity risk: Leveraging technology can give you fantastic results, but what happens to your operations if a key component were to fail? Do you have redundancies in place, or is the success of your business solely dependent on someone else holding up their end of the bargain.
- Data privacy risk: Most people are happy to say goodbye to the old filing cabinet, but moving all of that critical data into a digital environment has allowed that data to become one of the most valuable commodities in the world, and therefore the target of nefarious folk who intend to misuse it for personal gains.
- Third-party risk: When you outsource certain services, any security failings on their part can pose a risk to your business. A vulnerability in a program’s code can open up new angles of attack (See Adobe Acrobat) or a breach of their database can lead to your company’s login credentials or personally identifiable information being published on the dark web (See Facebook).
- Risks due to human error: A 2019 report from Shred-it identified that 40% of small business operators that reported a data breach cited the primary cause as human error or insider activity. Not everyone lives and breathes cybersecurity; normally they’ve got their actual job role to focus on. Unfortunately that leaves them susceptible to falling for phishing scams, activating malware, or otherwise misusing their work devices, resulting in massive bills and headaches for you.
- Automation risks: While automation can be an amazing time saver, if managed poorly it can create an impossible tangle in the way that only a computer is capable of. Issues of governance and responsibility can arise in relation to its use, and incompatibility with other processes can lead to dead ends after large investments of time and resources.
Importance of Risk Assessment in Managing Digital Risks
The best way to start getting your digital risks under control is to build a risk assessment component into your overall network assessment and get actionable reporting on it regularly. Evaluating your performance can hardly afford to be a once a year affair, or you’ll be stuck looking in the rearview mirror after a disaster has struck rather than looking ahead for a way to avoid it. An ‘under the skin’ examination gives you the opportunity to measure your security posture against various internal and digital threats and give you a benchmark on how well equipped you are to deal with them. The information you get can be used to proactively:
- Identify vulnerabilities: There’s no such thing as a perfect defense, so it’s important to prioritize whichever component of your digital environment is the weak link when it comes to various security threats. You could spend a fortune upgrading the locks, installing deadbolts, and replacing your home door with bank grade iron, but it won’t do a thing to keep a burglar out if someone keeps leaving the spare key under the “Welcome” mat. Take the time up front to assess and you can get a proper return for your investment.
- Review and bolster security controls: A lack of process controls (no Acceptable Use Policy, sporadic or absent cybersecurity awareness training, simple or un-enforced password standards) all contribute to an increase in risk presented by your human element. Stop relying on your staff to simply “do the right thing”, and incorporate preventative measure based upon your assessment’s results.
- Track and quantify risks: If you want to effectively manage risk, it all comes down to the math, so put some numbers in your evaluation to get a proper gauge of the potential losses that are posed by various threats. That way as you make the investments to decrease your exposure to risk, you can judge whether you’re moving your company in the right direction, and seeing a return from your provider.
The Value of Risk Assessment
IT and security budgets can seem at first glance like a necessary evil at best, or a black hole for money at worst. If they’re presented as overly technical they can be a challenge to make sense of
It can be challenging to try and measure an ROI on “still nothing bad is happening”, but few people would buy a car that had the airbags stripped out
Management can often be hesitant to dive deep into IT and security budgets. They understand the possible consequences in not investing in them properly, but they’re often presented in an over-technical fashion, or seem designed simply to sell another service and rack up additional costs. Nobody wins any awards for “this year nothing catastrophically bad happened”, and it’s not an investment you’ll ever make any money off of.
The real question though is – how much are you willing to put on the line by not making this investment? What does a major incident really cost? The average cost to recover from a ransomware attack continued its upward trend over 2020, as remote work provided new angles of attack from a technical and from a personnel standpoint. The median ransom payout peaked above the $100,000 mark for the first time, and that figure doesn’t take into account the hit to one’s reputation, the loss of productivity, and the toll on morale that are associated with it. The aftermath of government penalties, required changes due to regulatory non-compliance, can often mean that a full recovery is never even possible for the organization.
A sensible, but robust security solution can shield you from these sort of eventualities with negligible costs, and ultimately ensure the survivability of a business. You may not be able to measure the exact ROI of the airbags in your car, but people would stare at you wide eyed if you drove around in a car without them because it saved you a thousand bucks. Give yourself and the team that relies on you the same kind of consideration when they come into work each day, and make sure you have a plan that gives you the resiliency to be there this year and the next, now matter what the future might bring.
Assess Your Risks the Right Way
If it’s been a while since you had your last inspection, or you just feel that it might be worth someone putting a second set of eyes on your operations, please reach out. We’re here to perform a risk assessment as part of a complete network evaluation that will give you the information you need to improve your security posture, and give you a greater resiliency to various threats.
Article curated, modified, and used by permission.
https://www.zdnet.com/article/adobe-tackles-critical-code-execution-vulnerabilities-in-acrobat-reader/: 3rd party risk
https://www.forbes.com/sites/zakdoffman/2020/04/20/facebook-users-beware-hackers-just-sold-267-million-of-your-profiles-for-540/?sh=77cbe6207c85: 3rd party risk
https://www.lawtimesnews.com/staticcontent/AttachedDocs/%7B08bb4056-b1c6-4dae-8508-50a914d125f1%7D_Shred-it-Canada-2019-Data-Protection-Report_compressed.pdf : Risks due to human error
https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report : Cost of ransomware incidents