Most business owners are aware of the rising importance of cybersecurity. They only need to turn on the news to learn about the latest data breach or attack of ransomware. But when it comes to their own business’ security, are they asking the right questions to ensure they are doing all they can to prepare for the rising tide of cyberattacks? Many executives and owners mistakenly believe that cybersecurity is an IT issue. They may routinely ask their internal IT team, or IT service providers “Are we secure?” and hope to get a simple yes or no answer. But it’s never that simple. When it comes to cybersecurity risk, you must dig deeper. Here are some questions you should be asking on a regular basis:
Do I know what assets I need to protect?
Knowing what assets you have and where they are stored is a first step towards determining if they are adequately protected. The following is a good starting point in building your list:
- Physical assets – computers, copiers, servers, medical or manufacturing equipment are just a few of the assets you rely on to operate your business every day. Prepare a detailed inventory.
- Personally Identifiable Information (PII) – This is personal or confidential information you store about your clients, patients, staff or members that must, by law, be protected. Can you identify what PII you store and where? Are the right security policies in place to not only protect it, but to know if it has been compromised?
- Intellectual Property – What would be the damage to your company if this information was stolen as part of a data breach?
- Reputation – Protecting your reputation and maintaining the trust of your clients, vendors or donors is possibly the hardest to quantify – and the hardest to repair after a breach.
Where is my greatest risk?
Now that you have identified the assets to protect, you can review the systems you currently have in place and identify any gaps. Where there are gaps, conduct a risk assessment. What is the likelihood of this vulnerability being exploited and what is the harm if it does?
Once that’s done, you can easily identify your areas of greatest risk. For each identified risk you can choose to:
- Accept it – The risk is low enough that you can accept the consequences.
- Mitigate it – Reduce your risk by putting stronger protections in place.
- Transfer it – Cyber insurance will help reduce the costs of recovering from a breach.
- Eliminate it – This can be done by eliminating the area of risk altogether. For example, if you are using out-of-date software which is vulnerable to attack, replace it with a more modern application that doesn’t have the same vulnerability.
Where should I be investing to protect my company?
No company has unlimited resources. Once you have identified your greatest areas of risk, and how to deal with each, you have a roadmap of where to invest to make the greatest impact to your security. You likely can’t fix them all, so focus on those areas that expose the greatest threat first. Once those are reduced to an acceptable level, move on to the next greatest threat. Rinse and repeat!
When it comes to protecting yourself from cybersecurity threats, there are two things that are certain. There is no such thing as eliminating risk completely, and it is not simply an IT problem. Security is an ongoing journey. Business stakeholders must be engaged in the process to help identify the risks and make sound decisions to deal with them. Asking these questions of your IT team is a good starting point along that journey.