Pin It

Performing a risk assessment and knowing how much to invest

By Bill Ross


We live in a world where more and more business is conducted over the Internet. Whether it is online banking, shopping and paying for what you buy online and a host of other things,

it is clear that doing business has changed and that means security has to change as well. Today, unfortunately, cybersecurity breaches have become a cost of doing business. It’s one of the negatives that come with the convenience of online living, and it’s a big negative.

The question business owners and managers have to ask is this: How much should we invest to properly defend against an intrusion? A defence against every kind of attack can be very expensive – up to several million dollars – depending on the organization. Cyber attackers continually find new ways to break into systems and it is hard to keep up with the new malicious efforts that are developed daily. The solution for any organization is to, first, establish criteria for what information is important and, second, focus on being able to recover as quickly as possible from the damage of any attack.

In 2017, the Ponemon Institute did a survey and determined that the average cost of an intrusion to an organization was US$2.6 million, and that the average length of time required to resolve the damage of a malicious attack was 55 days. Clearly, a lot can happen in a two-month time period and in some cases, it can even be fatal.

Costs incurred from this type of attack can include not only the cost of repairing systems and processes, but the loss of reputation and with that the subsequent loss of customers. So, what do businesses do? Obviously, there is a balance to be struck between accepted risk and the cost of doing business, and that will vary from organization to organization.

The first task in addressing cybersecurity is an internal evaluation of all the risks. This is usually conducted by an independent team that will explore all processes that may be vulnerable to cyberattack. The objective here is to determine what can be put in place to mitigate the risk of attack. Here are some questions to consider in assessing the risk:

What would be the impact of a breach in customer data? Apart from the embarrassment of informing customers, could this cause those customers to take their business elsewhere? Could it impact the long-term growth objectives of the business?

What information would be useful to competitors and could it be used to take away company business? Proprietary intellectual property and know-how are prominent targets; however, identification of key personnel and long-term strategies may also be of interest to competitors.

How would the organization’s reputation survive a breach? The answer to this question may largely depend on the very nature of the business. For example, organizations holding vast amounts of personal information would be particularly vulnerable. Consider the 2017 breach at Equifax, a credit rating organization, where the breach struck the primary focus of the business.

The degree of risk an organization is willing to accept will largely dictate the key steps it must take to defend itself. There are both human and technological considerations at play.

In looking at risk, the first thing to do – the first line of defence – is to start fostering a culture of cyber safety in the organization. This means employees should be well educated in safety practices and be aware of all the methods used by hackers to infiltrate a system. In addition, the culture of your organization should encourage fellow workers to look out for each other’s safe behaviour. By the same token, any unsafe practices should be called out.

Attackers are usually after user names and passwords, so employees must be familiar with any situation that could expose them. What kind of situation? It might be the use of unsecure networks, sharing information with fellow employees or storing information on removable storage drives.

Another avenue that is exploited by hackers is social engineering, which is now growing with the proliferation of personal data. Potential attackers will follow a user’s social media sites and activities to gain insight into the individual’s personal profile. Pet names, preferences and lifestyle are all things that help intruders with answers to security questions. It is of paramount importance that employees are aware of these dangers.

The second line of defence involves technology. A number of security providers offer technological solutions to enhancing security. However, knowing how much to spend is the key consideration. The solution is to evaluate each security technology and determine which one provides the most value. The criteria outlined earlier to evaluate risk will help. Creating a strong cybersecurity foundation means – at the very minimum – investing in the basics, such as security intelligence, while continuously innovating to stay ahead of the hackers and continually improving processes to make them more secure.

The final defence is to test the organization’s system. This involves undertaking extreme pressure testing on all entry points to the system. It is not sufficient to only test compliance with the organization’s policies. Testing is a dynamic and continuous process that will identify vulnerabilities and allow organizations to be able to outwit and outpace the attackers.

So, how much will all this cost? A good guideline is to work backwards and estimate the cost of a data breach and then put a value on the time it takes to rectify the damage. Then, multiply the total cost by the likely probability of this happening in any given year. Such an exercise will provide a benchmark which the organization should revise each and every year, based on the experience gained.

It can’t be stressed enough that addressing cyberattacks is a continuous learning process; it never stops. The degree to which employees embrace the learning as part of the organization’s culture will drastically reduce an organization’s exposure to cyberattacks.

Bill Ross is the founder of Vercerta.




Pin It