Conversations business leaders need to have about security
By Mike Knapp
Major crimes hit the news, but the old woman being mugged in the street doesn’t. Security headlines are the same: breaches and attacks against big retailers, government agencies, hospitals. It’s easy to forget that for every Target breach, there are thousands of small businesses that are the victim of cybercrime.
When you’re busy running a successful small business, you’re involved in every part of the business. Being spread thin, most business leaders don’t have time to consider the threats and risks of cybersecurity. How can you make informed decisions to reduce your risk if you don’t know where the risk is coming from?
In some cases, business leaders know about threats and are scared. That’s great, but they need to do something about it.
Even worse are those individuals who know what threats are out there, but don’t think it can happen to them. With reports of more than one-third of businesses being the victim of cybercrime, it can, and will, happen to any business – including yours!
It’s time to have the right conversations about security.
First: Get educated
Business leaders need to have a basic foundation in the security risks that affect their businesses. I’m not recommending detailed knowledge or getting a CISSP, but instead a high-level understanding of the threats, risks and controls in place to protect your business.
Doing this helps put the leader in a position where they can have the right conversation.
What’s at stake?
If you don’t know what’s at stake, it’s hard to decide what to protect. The right process is to identify your assets. Assets aren’t just the physical items like computers–information is actually a more valuable asset.
Once you know what your assets are, associate a value to them. I prefer to use multiple criteria: Financial, Reputational, and Operational. A computer failing may only have a low Financial impact, but having your website hacked would have a low Financial (to fix it) and high Reputational. If it’s an e-commerce site, then it would also have a high Operational value.
When you start to value assets this way, it quickly becomes clear what you need to be protecting.
What are our risks?
Risks should be the backbone of any security conversation. For every asset, there are risks. Each risk has a threat, a probability of occurring and an impact to the business.
For example, ransomware is a threat to all your computer systems. Its impact is very high on your availability, and the probability of happening is high.
Now that you know it’s likely to happen and the impact is high, you can work with IT to understand what is being done to reduce the risk, and what more should be done to make the risk level acceptable.
Doing this changes the conversation from cost and technology, to risks and results.
How are we reducing risk?
This is where the conversation starts to shift from threats and risks to solutions. Training, policies, processes, and technology are key elements in reducing your risks. For example:
- Staff training to recognize phishing attacks
- Spam filter to reduce the number of potential attacks
- Web-filtering to block known phishing or malicious websites
Malware / Viruses
- Anti-virus software deployed on all systems
- Spam filter to reduce attacks
- Web content filter to detect viruses
Are you sure?
One of the most important security processes, and often the one neglected by smaller companies, is the process of being sure security controls are in place and effective.
Best practice is to have someone independent verify that the controls are in place and effective on a regular basis. There are several ways to do this (do all of them!):
- Self-checks – every control, from anti-virus to implementing updates, should have a self-check process to ensure it’s working as expected.
- Internal audit – have someone independent check settings, processes and evidence.
- Vulnerability scans – use specialized tools to ensure that no known vulnerabilities are open on your systems.
- Penetration tests – have a trusted specialist try to break into your network or system.
What can we do better?
There’s always room for improvement.
Threats are changing and becoming more sophisticated on a daily basis. We need to be constantly looking at ways to better protect our businesses.
When we do this from a risk perspective, it’s easy to create simple business cases for security projects:
To reduce risk xyz, with a potential loss of $12,345 from high to a low risk, we may need to implement solution abc, for budget of $100.
Have the right conversations, reduce the risk
According to PwC’s Economic Crime Survey, 32 percent of companies were the victim of cybercrime in 2014 and 2015, making cyber-crime the No.2 biggest economic risk.
Get informed, understand your risks, change the conversations, and reduce the chance that you’re a victim in 2016.
If you aren’t comfortable doing this, find an adviser who is. Many boards are now including cybersecurity expertise to ensure there’s proper controls and oversight in place.
About the Author
Mike Knapp is a partner at Incrementa Consulting, a boutique consulting firm focused on helping businesses be more successful.