By: Jim Baskin, CISO
As with most business-critical initiatives a case must be made first to company leadership. The Board of Directors (BoD) and C-Suite must embrace the value of Cybersecurity, Risk, and Compliance in order for meaningful action to take place. Let’s talk about why these three words go together – and what a Chief Information Security Officer (CISO) usually means when they talk about Cybersecurity, Risk, and Compliance while keeping in mind the goal of getting the Board, CISO, and C-Suite all aligned and speaking the same language.
The foundational word is ‘Risk’, upon which we build all Security and Compliance programs. Risk describes the potential loss from a given event or issue. Mathematically we think of Risk as Impact multiplied by Likelihood (I x L = R). This gives us a means of quantifying, in dollars, a potential Security or Compliance event that could happen to your company.
Cybersecurity protects company technology from disruption or misuse. Compliance is identifying and following the laws that govern the company, especially related to data privacy, processing, and storage.
Let’s discuss some of the bad things that can threaten a company if the compliance and security components of Risk are ignored. This is to show that attention should be paid to the issue and not to indicate that it is hopeless.
The first step is to conduct a Risk assessment. This assessment helps by identifying where a company stands in regard to compliance and security and serves as the starting point for creation of a simple plan to describe how to improve security over the next few months or years. A reasonable understanding of where there are risks, and a plan to remove or reduce those risks, is usually all that is needed to protect a company from the biggest potential fines and legal judgements.
With these steps as the primary part of ‘Due Care’ you can also qualify for Cyber Insurance, which can significantly mitigate the risk of a huge cost for your company due to a Cybersecurity incident.
The major types of Risk related to Cybersecurity are Operational, Reputational, Legal, and Compliance.
- Operational Risk – This is a loss related to your company’s operations or ability to complete the business processes that keep your business running. The primary example is Ransomware. In this scenario an attacker gains access to your network and runs a program to encrypt the data on your company computers. This prevents those computers from functioning and your business processes that rely on that data are stopped.
- Reputational Risk – Customer, employee and supplier trust in your business is key in order for them to provide personal information, including credit card data, or conduct successful business. If company data is breeched and customer, employee or supplier data is compromised then that trust is broken, and the company’s reputation is damaged. That lack of trust may prevent gaining new customers and could cause existing customers, suppliers, or employees to stop doing business with your company.
- Legal Risk – In the above examples, if Ransomware or a Data Breech occur there could be lawsuits filed against the company by the impacted parties – customers, employees, suppliers, and shareholders. If the company is able to prove ‘Due Care’ was taken to secure confidential data then the legal damages and liability of the company are generally significantly reduced, if not all together eliminated. However, without the ability to show Due Care was taken, all bets are off.
- Compliance Risk – There are many domestic and international laws that require companies to take steps to secure customer data and to help customers have control over the storage and use of their personal information. Some data privacy laws with the biggest fines are GDPR for EU citizen, PII (personally identifiable information), CCPA for California citizen PII, and HIPPA for US personal health data.
In a security breach it is common for many types of risk to apply to one incident. For example a Ransomware attack may take down your network for $100,000 or operational risk, if they also took data before encrypting your servers they could post it publicly and damage your reputation, expose you to Compliance costs responding to the loss of data, and Legal costs if it was shown that you did not take reasonable security precautions with the data. This is a business for attackers, and they threaten to do damage on multiple fronts to pressure you into paying the ransom. Fortunately, security professionals are also creating thousands of ways to protect a company.
Some effective approaches to mitigate Operational, Reputation, Compliance, and Legal costs in case of a data breech are Cybersecurity Insurance, a Security Assessment, and creation of a company Security Program. All of these effective responses can consider the size and profitability of your company to help ensure success rather than being a burden that drives you to unprofitability or bankruptcy.
In our future posts I will discuss:
- Real life examples of the factors that can cost you money related to Operational, Reputational, Legal, and Compliance risk. We will look at different Ransomware and Data Breech examples to see where companies incurred losses.
- Steps you can take to reduce the likelihood and impact of a ransomware, data loss, or operational outage for your company. These steps will also reduce the risk of Reputation, Legal and Compliance related losses.
- How Risk Management can provide company leaders solid data for strategic decision making related to Cybersecurity and Compliance mitigation spending
We are fortunate that there are so many tools and processes available to keep systems and data secure. In fact, the difficult task is selecting the effective and economical tools you need to meet your Risk goals so that you minimize cost and maximize company value. At ClinkIT Security we are helping companies optimize their Risk, Security, and Compliance efforts to help protect both customers and profits.
Contact us today at ClinkIT Solutions to get your company on the track to Cybersecurity compliance and risk mitigation.