A Guide to Cybersecurity Risk Management for BusinessesRisk Management
Table of Contents
- Why Cybersecurity Risk Management is Important
- Building the Right Risk Management Culture
- Assessing Cybersecurity Risks
- What Are Cybersecurity Risk Management Frameworks?
- The Response Plan
- How Business Insurance Can Help
Unless you’re operating a hot dog stand that only takes cash, your business most likely faces a variety of cybersecurity risks.
Do you have a website? Do you sell things online? Do you store customer information online?
If you’ve answered “yes” to any of these questions, you should be taking the time to assess your business’s cybersecurity risks.
No matter what type of risks your business is dealing with, building awareness is always the first step you should take towards combating those risks. Thankfully, recent studies show that business owners are becoming more aware of the threat that cyberattacks pose to their organizations.
Recent research from Gartner shows that worldwide IT spending increased by 3.4% in 2019 to nearly $4 trillion. High profile cyberattacks continued to take place this year, further confirming the seriousness of this problem in today’s business environment.
According to a recent Global Application and Network Security Report, the average cost of recovery from a serious cyberattack now exceeds $1 million.
And when we talk about losses suffered from these types of attacks, we’re not just talking about money being stolen from business accounts. As the above-mentioned study states, the cost of a cyberattack relates to many issues, such as employee productivity loss, negative customer experiences, and reputational issues that can all follow a serious cyberattack.
Despite the increase in awareness, cybersecurity is a very specific risk because it’s one that evolves faster than any other type of threat your business faces. The forms in which the threats are presented and the methods of attack are constantly changing and evolving.
Big Risks for Small Businesses Report
Is the Current Approach to Business Insurance a Match for Today’s Modern Risks?
Spoiler: It’s not.
Cybercriminals are cutting-edge criminals who pride themselves on innovation, always striving to come up with new ways to attack businesses electronically and online. As the types and varieties of cybercrimes continue to grow and mutate, it’s important for businesses to be incredibly vigilant in their efforts to not only protect themselves from these threats but also quickly and properly react to these attacks and mitigate their effects when they do occur.
That’s why when we talk about corporate risk management plans, we almost always need to talk about cybersecurity as one of the most important phases of the plan that requires especially detailed consideration.
Why Cybersecurity Risk Management is Important
Every company needs to create a cybersecurity strategy to protect itself and this strategy needs to be built into the company’s more general risk management plan that takes into consideration all possible business risks.
When considering cybersecurity and the risks that are associated with it, your company should be developing a risk management plan that aims to improve your network security and protect your business data from falling into the hands of people who could use it in a way that would be detrimental for your business.
Cybercrime is also unique because of the fact that the motives behind cyberattacks aren’t always monetary. Usually, cybercriminals do want to damage you financially in some way and are interested in illegally acquiring money. However, there are some who just do it for the fun and challenge of it instead of seeking financial gain.
No matter what the cybercriminal’s objective is, your business will most likely face some type of financial burden as the result of any successful cyberattack. That’s why having a plan for how your company prevents and reacts to cybercrime is absolutely essential.
By putting together a solid cybersecurity risk management plan for your business, you are helping to put your company in a position to do the following:
- Properly identify cybersecurity risks
- Understand where your company is most vulnerable
- Understand the potential damage of these risks
- Define a strategy for protecting your company
- Understand how to minimize the impact of cyberattacks
- Mitigate some of the risks via risk transfer
Building the Right Risk Management Culture
Proper cybersecurity risk management starts at the top of your organization. Business leaders need to work towards establishing a culture of cybersecurity awareness in order for any risk management plan to have a chance of being successful.
Without employee participation in the process and without the entire organization buying into the goal of keeping your business safe from cybercrime, there is no way to establish a risk management strategy that is going to work in the long run.
That’s why businesses must start the process by building a culture in which employee accountability and involvement are encouraged and expected.
Investing in Awareness Training
Even if your business has an IT security team whose job it is to make sure that your company is safe from cyberattacks, it’s still unwise to rely solely on them to protect every facet of your organization.
Most hackers are well aware that businesses bring in security specialists, which is why many try to commit cybercrimes by tricking less-knowledgeable members of your organization into providing them access to your network and systems. This type of cyberattack is called a “phishing scheme” or “social engineering.”
A common social engineering trick that you’ve probably encountered is one in which the cybercriminal sends an email to employees that is made to appear as if the CEO or boss sent it, usually asking them to click on a link or install something on their computer.
The best way to avoid these types of attacks is by educating employees about cybersecurity and investing in their awareness so that when they do see these types of emails, they are able to recognize them as potential security threats.
No matter how strong your IT security team is and how vigilant they are in keeping your network safe, it takes just one mistake by anyone in your organization to compromise your company’s cybersecurity.
Putting together a solid cybersecurity awareness program and making sure that all of your employees are receiving training related to cyberthreats during the onboarding process should be the foundation of every company’s cybersecurity risk management plan.
Employees should not only be educated on what to look for and what types of cyberthreats to expect but also on what they should do and who they should contact if they see something suspicious.
Stressing the Importance of “Cyber Hygiene”
When someone says “cyber hygiene” they are basically talking about a concept that is very similar to the concept of personal hygiene and what that entails.
Having good cyber hygiene means having a set of daily routines and behaviors that work towards ensuring that your organization’s cyber health is as good as it can be.
This, naturally, calls for installing processes (routines and behaviors) that your team will follow, but in order to do that, it’s important to educate everyone in your organization about cybercrime first.
Remember, these routines and behaviors will be better adopted if the people who need to perform them know why they are doing what they are doing. That’s why the importance of investing time and money into educating your team about cybersecurity cannot be overstated.
Inviting Different Perspectives
Even if you have assembled a fantastic cybersecurity team in-house, it’s always a good idea to invite a third-party to review your protocols and efforts on a regular basis in order to gain a fresh perspective on how well you are protecting your data and what you can do to strengthen your efforts.
Companies should seriously consider outsourcing third-party experts who will look for gaps in their risk management plans and try to identify areas in which their plans could stand to improve.
Assessing Cybersecurity Risks
The process of assessing your company’s cybersecurity risks is similar to the process of assessing any other business risks that your organization may face. The two main factors when it comes to assessing risks are determining the probability of the risk and weighing the impact of the event if it does occur.
Once you have considered those two things, then you will be able to turn your attention towards what can be done to mitigate the probability or severity of each potential risk.
The risk assessment process should serve to provide a better understanding of your potential risks so that you can take the proper steps towards controlling, avoiding, reducing, and mitigating them.
A cybersecurity risk assessment is about understanding, managing, controlling, and mitigating cyber risk across your entire organization.
Performing a Data Audit
According to IBM’s Cost of a Data Breach 2020 Report, the global average cost of a data breach is $3.9 million.
Data breaches are easily the most costly types of cyberattacks because a business’s data is arguably one of its most valuable assets.
As an example, imagine that a law firm is exposed to a data breach. The firm’s computers and network contain an incredible amount of sensitive data that can be very valuable to criminals, such as court records, police records, and private client information. If this data is compromised, the law firm could stand to lose an incredible amount of money and potentially suffer irreversible damage to its reputation.
That’s why performing a data audit is the most important step in assessing your cybersecurity risks.
These are some of the main questions that need to be answered in the process of performing a data audit.
- What type of data do you collect?
- Where and how do you store it?
- How well is it protected?
- Who has access to this data?
- What are the potential consequences of this data being compromised?
Don’t forget about third-party vendors and other partners that also have access to your data. Make sure that you are aware of their risk management procedures and the precautions that they are taking to mitigate cyberattacks that could affect you.
What Are Cybersecurity Risk Management Frameworks?
Cybersecurity risk management frameworks are sets of standards and methodologies for managing risks in the digital world. They provide guidelines and best practices for companies to monitor, assess and mitigate cybersecurity risks. These well-documented frameworks often match companies’ cybersecurity goals, so you should choose those that fit your systems.
Cybersecurity frameworks allow organizations to perform cybersecurity risk assessments and analyses to identify potential weaknesses. Companies can then remedy those security gaps and make decisions about investments to mitigate future risks and minimize exposure to cybersecurity threats.
Let’s look at some of the common cybersecurity frameworks.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework is a set of guidelines, recommendations, and standards to help organizations manage their cybersecurity risks. It represents a collaboration between the public and the private sector to better identify and mitigate cybersecurity risks companies face.
It is designed by the National Institute of Standards and Technology (NIST) and provides a standard for building your cybersecurity systems and detecting, responding to a cyberattack, and later recovering from one.
ISO 27001 sets the standard for certifying a cybersecurity risk management system. The name itself shows that the International Organization for Standardization (ISO) created it to provide certification proving that a company implements an information security risk management system that corresponds with ISO standards.
This framework requires a systematic approach to managing and mitigating identified cybersecurity risks. An organization must prove to an auditor that it performs comprehensive information security controls across all IT operations to get certified.
ISO 27002 framework is not a certification but a set of guidelines that instructs organizations on implementing security best practices that will allow them to get ISO 27001 certified. It provides guidelines and tips for adopting the best information security risk management measures and prepares you for obtaining ISO 21001 certification.
Developed by the American Institute of Certified Public Accountants (AICPA), the Service Organization Control (SOC) Type 2 cybersecurity framework ensures your vendors, service providers, and partners safely store and manage your clients’ (and your) information.
It defines criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and data privacy. It is challenging to implement this framework as it requires an exhaustive auditing process to check if the company is compliant with its numerous (more than 60) requirements.
Another common cybersecurity risk management framework is NERC-CIP, which helps power and utility companies reduce their cybersecurity risks.
The Health Insurance Portability and Accountability Act (HIPAA) regulates national standards for protecting sensitive health information. Healthcare organizations are responsible for keeping this information secure from unauthorized access and disclosure.
It’s also important to mention the GDPR framework that protects the personal information of the European Union citizens. It applies to all organizations that collect, store and manage the personal data of EU citizens.
How to Use Cybersecurity Risk Management Frameworks
Cybersecurity risk is a significant risk for any organization that you shouldn’t take lightly. Instead, you should make it a part of your company-wide risk management strategy. Cybersecurity risk management frameworks should help you assess your specific risks and implement best practices to reinforce your security systems systematically.
When your company is certified for implementing one of these frameworks, it’s a clear sign for your clients and business partners that you invest in cybersecurity and take the safety of their data very seriously.
The Response Plan
No matter how good your cybersecurity risk management plan is, attacks are going to happen. That’s why having a response plan to recover from a cyber attack is just as important as having a security plan. A response plan is basically a set of instructions that your organization has put together outlining exactly what steps need to be taken if a cyberattack does occur.
A good response plan enables you to act quickly and minimize the duration and potential impact of any attack. Here’s an example of what a common response plan for a cyberattack would consist of:
Containment: Contain the systems and networks that were attacked in order to isolate the attack and keep the threat from spreading.
Data Audit: Perform an audit of sensitive data to see if any of the data has been corrupted or stolen in order to better understand your potential risks.
Eradication: Eradicate all files that have been infected and replace hardware or software if necessary.
Log Events in Detail: Be sure to keep a log of the incident and your response that’s as detailed as possible. Note the exact time and location of the attack, who discovered it, how it was reported, the specific data that was targeted or compromised, the extent of the damage, and what you are doing in response to the breach.
Public Acknowledgement: If a cyberattack has affected customer or partner data, make sure that you are ready to make a public statement as soon as possible. If you’re keeping a detailed log of the attack and your response, you will have an easier time putting together a public statement that will be able to fully explain the nature and extent of the attack and what you are doing to remedy the situation.
Consult Legal Team: Your legal team should be briefed in order to determine whether compliance risks exist and if the cyberattack has had an impact on any regulations. Your legal experts will also have to prepare for possible claims being filed by customers, partners, and other third parties whose data might have been compromised in the attack.
Contact Police: Report the attack to law enforcement in the possible event that your business was not the only business targeted in the attack.
Recovery: Restore your system and network to its state pre-incident, checking on your system’s integrity, security, and level of data loss. Confirm that your system is ready for your operations to return to normal.
Follow-up: Be sure to continue gathering logs, performing audits, and testing your system even after the cyberattack has been successfully handled. Continue to keep detailed records of all areas of the business that were affected by the attack and to what extent.
Lessons Learned: Discuss the attack with your team in order to understand what could have been done better, what errors were made, and what can be done to avoid similar attacks and improve your response plan if another attack occurs.
Monitoring: Continue to monitor the results of your response plan. Be sure to review and test your incident response plan and update it when necessary. Remember to keep all stakeholders informed regarding the state of your cybersecurity risk management plan and how it is evolving over time as new risks arise.
How Business Insurance Can Help
Obviously, establishing a proper cybersecurity risk management plan for your business is incredibly important in properly identifying risks and responding to them as quickly and efficiently as possible when they do occur. It also allows you to reduce the negative impact that a cyberattack can have on your customer retention and general public reputation.
But not all risks, especially in the world of cybersecurity, can be avoided or reduced. That’s why it’s a good idea to transfer as much of the risk as possible to a third party by purchasing business insurance.
When it comes to cybersecurity risks, there are two coverages that are most important: cyber insurance and tech errors & omissions insurance.
A cyber liability insurance policy enables businesses to transfer the many potential costs that are associated with the process of recovering from a cyberattack or any type of cybersecurity event that can negatively affect your company.
There are essentially two types of cyber insurance, first-party and third-party. First-party cyber liability insurance will help you in the process of getting your own network and systems in order after a cyberattack. Third-party cyber insurance provides financial help in the event that clients, customers, and partners were affected by the cyberattack on your network and want to sue for damages.
A comprehensive cyber liability policy will cover the following:
- The cost of notifying customers of a data breach
- Credit monitoring services
- Computer forensics services needed to investigate the attack
- Business interruption costs
- Ransom in situations of cyberextortion
- Defense costs in civil claims filed against you by affected parties
To get a better idea of how cyber liability insurance can protect businesses from the many cyber risks modern companies face, check out this quick video:
Software development companies, SaaS companies, and most tech startups will usually purchase tech errors & omissions insurance with a cyber liability policy since their work is very heavily connected to the Internet and what they do can affect clients and customers in a variety of ways that can easily lead to lawsuits being filed against them.
Tech E&O insurance will cover lawsuits related to professional mistakes, missed deadlines, but also data breaches resulting from human error that could affect your clients.
If you run a technology company of any kind or your company relies very heavily on technology to operate, these two business insurance policies are absolute must-have pieces that need to be a part of your cybersecurity risk management program and strategy.
Naturally, the cost of your cyber insurance policy will depend on a lot of different factors, including the size of your organization, your industry, your reliance on technology, your history of claims, and the steps you have taken to protect your business from cybercrimes, which is another reason why putting together a proper cybersecurity risk management policy is so important.
If you’d like to discuss your insurance options and determine what coverage your business needs to protect itself best from the potentially crippling financial effects that can result from a serious cyberattack, feel free to reach out to one of our expert brokers at any time.