Your cyber risk management journey begins with an in-depth cyber risk assessment. Our Cybersecurity Consultants help you answer the following questions about aspects of your organization:
Assets—what is valuable to your organization, and especially what information is valuable? Think intellectual property, customer data, Personally Identifiable Information (PII), etc. Also, is the organization subject to compliance regulations, that require some assets to be protected to certain standards?
Information technology—what assets do you have arrayed to process, store, transmit, and protect your valuable information, and how securely are they configured? Keep in mind IT isn’t just desktop PCs and wireless routers, it’s mobile devices, printers, everything including your most valuable IT asset: your people.
Managerial processes—what processes do you have in place to manage your information, the technology, and the people that use that technology? Does the organization include cybersecurity in its budget? Without buy-in from the highest echelons in the organization, any cybersecurity program is doomed to fail.
Operational processes—how does your organization interact with your assets, especially your valuable information? Do you have an Acceptable Use Policy in place? If not, why not?
Threats—what scenarios exist by which your assets, especially valuable information, may be compromised? Cybersecurity isn’t just about stopping hackers from getting at your data, it’s also about preventing accidents, and recovering from the inevitable.
Vulnerabilities—where areas of the organization are currently susceptible to threats? All three aspects of organizational IT—technology, management, and operations—can have vulnerabilities. The good news is that most organizations already have some vulnerability mitigations in place, such as locks on doors and usernames and passwords.
Don’t worry! If you’ve never been through a Cyber Risk Assessment before, we can start with a simple “Assumed Risk” approach, which results in an easy to visualize “heat map” of areas of high cyber risk within the organization. The Assumed Risk Assessment usually takes about a half day for a small- to medium-sized organization, and the heat map helps prioritize areas to fix.
Once we have the answers to the questions above and have performed a qualitative risk assessment, we can execute a more formal cyber risk assessment calculation (asset value x probability of compromise), to determine the potential cost to your organization should a breach occur. Then you’ll have a reasonable idea of what your organization should be spending on cybersecurity (see note below), and where to spend that money. Then you’ll be prepared for proper Cyber Risk Management.
Let our cybersecurity experts guide you on your cyber risk management journey.
Note: You can actually do a quick calculation to get an order-of-magnitude estimate of your cybersecurity budget: ask yourself “What would we be willing to pay should we become locked out of our network by ransomware? The amount you’d be willing to pay to unlock your assets from ransomware should be the first deposit in your cybersecurity fund. Keep in mind the earlier your organization implements a Cyber Risk Management strategy, the cheaper things will be. It’s always less painful to “build it in” from the beginning, as opposed to “bolting it on” at the end.