A 3-Step Approach for Assessing Cybersecurity Risk for Your Business
The Weekly Brief: Quick Tips & Tools to Apply in Your Work
Your company’s data is its lifeblood. With cybersecurity incidents regularly appearing in the headlines, it may seem like you need to build an iron fortress around every piece of data your business owns. But let’s face the facts: securing your systems requires a large investment of time and resources.
As a business leader, a risk-based information security strategy will help you allocate resources and implement the right level of security. That strategy starts with identifying which data is critical, what or who can threaten that data, and how far you are willing to go to prevent the data from leaving your control.
Here are some tips to help you assess cybersecurity risk for your business.
1. Understand the Value of Your Data and Your Reputation.
What data is mission-critical to your business, and what are the systems that handle it? What data might be of value to someone else? And what must be protected by law?
Personal information like bank account numbers, Social Security numbers, or health records are easily monetized in the criminal market. Your organization’s intellectual property, which defines and distinguishes you from your competitors, can be valuable in other markets.
2. Quantify Potential Threats.
Who might want your data or wish to disrupt your operations? What are their capabilities and typical attack methods? Is it worse if they steal data, render it inaccessible, or alter it? Think of recent ransomware attacks in hospitals, which affected emergency services.
Look at your data from an attacker’s perspective—to what extent will they go to achieve their goal? Consult your IT team about appropriate hardening, scanning, and monitoring of critical systems to protect your business against the most likely and harmful attack opportunities.
3. Define Your Risk Threshold.
What level of risk are you willing to accept? Addressing all the risks and fixing all vulnerabilities in every system is beyond most technical or financial resources.
If the likelihood of business impact is low, measured detection and response is the more effective approach. It’s your responsibility to determine what is essential to your business operations, and what business impacts you can—and can’t—withstand.
Do not waste money protecting all of your information and systems equally from every threat. By taking the time to understand the realistic risks to your business, you can more effectively work with your IT team to design security into the systems that handle your most valuable data, defend you against probable events, and hopefully keep your business from being the next cybersecurity headline.