Risk Management: Cybersecurity
July 12, 2023
Cyberattacks are on the rise. Though today’s technology is better at securing sites and data, hackers have also gotten better at penetrating systems to steal that data. Such attacks can permanently damage an organization’s reputation, safety, security, employees, contractors and vendors. And the financial impacts can be disastrous.
But cybersecurity and data privacy risks don’t just come from hackers. They can also come from changes to regulatory requirements at the federal, provincial and local levels. Some of these requirements go beyond the state or area in which you work to include any location in which you do business.
What is a cyberattack?
According to the cybersecurity company Imperva, a cyberattack is an attempt by a malicious actor to gain access to, steal data from, or damage computers, networks or other computing systems. A cyberattack can be launched from anywhere by one or more people using various tactics.
Why prepare for a cyberattack?
Failing to prepare for a cyberattack is expensive. Imperva estimates the average cost of a data breach in the U.S. to be $3.8 million and says public companies lose an average of 8% of their stock value after a successful breach. IBM reports that cost can be significantly higher for Canada. In 2021-2022, recovery costs averaged $7 million for 25 Canadian companies.
The global cost of cyberattacks is expected to grow by 15% every year and surpass $10 trillion. Imperva cites ransomware as a major driver of cybercrime.
If that isn’t enough reason to prepare your organization for a cyberattack, consider your compliance obligations. You must protect your data and people to comply with ever-changing laws and regulations.
Common cybersecurity threats
Common threats to organizations include:
- Unauthorized access — A malicious actor, malware or an employee error can result in unauthorized access of your data.
- Misuse of information by authorized users — An insider may misuse information by altering, deleting or using it without authorization.
- Data leaks — Threat actors or cloud misconfiguration may cause personally identifiable information or other sensitive data to be leaked.
- Loss of data — Poorly configured replication and backup processes may lead to data loss or accidental deletion.
- Service disruptions — Downtime may cause reputational and financial damage. One cause of downtime is a denial of service attack, which bombards a website with automated requests so legitimate users can’t get through.
How to prepare for a cyber threat
Cybersecurity risk management is about prioritizing threats and creating action plans to eliminate or minimize them. Cybersecurity risk management ensures the most critical threats are handled in a timely manner.
Assess your risks
Start by identifying, analyzing and evaluating your potential cyber threats. This will require reviewing your entire IT infrastructure to identify possible threats from:
- Vulnerabilities within your systems
- People, processes and technologies
- Cyberattacks (internal and external)
Back up your data
One of the most basic measures you can take is to back up your data regularly. How often depends on your organization, the amount of critical data that you typically collect over the course of a business day or week, and what it would mean to you if that data were to be breached, lost or stolen.
Change passwords often
Another simple measure is to require employees to change passwords periodically. Again, you will need to determine how frequently based on your unique needs and resources. You should also have a written policy stating that employees cannot share passwords.
Train your employees
Lastly, train your employees on cybersecurity. Educate them on the types of cyber threats they may encounter and your password-protected systems. This training should be mandatory for all new hires, with annual refresher trainings thereafter. All employees should be required to sign a statement that certifies they received the cybersecurity training and understand the policy.
The risk management process
Every organization is unique, so its technology infrastructure will be as well. There is no cookie-cutter approach to managing cybersecurity risks.
The cybersecurity risk management process involves:
- Risk strategy — Determine the processes and controls your business needs.
- Risk analysis — Understand the specific threats your business faces.
- Implementation — Implement your security measures.
- Risk training — Train your staff on their role in cybersecurity.
- Monitoring — Test the effectiveness of your security measures and controls, and adjust them as needed.
- Risk transfer — Transfer your remaining risk to an insurance firm.
In the end, risk management is about weighing the benefits of risk reduction against the costs. Your cybersecurity risk management strategy should acknowledge that you cannot eliminate all system vulnerabilities or block all cyberattacks. But getting ahead of your cybersecurity risk will help you attend to the most critical flaws, threat trends and potential attacks.
For more information
For help with your cybersecurity risk management process, refer to International Organization for Standardization (ISO) standard 31000. ISO 31000 offers a framework for organizations to address their unique cybersecurity threats.