According to a recent report from CNBC, 66% of small businesses have had a data breach in the last 12 months. The average cost of a data breach for a small business is $149,000 (App River), and a study by the National Institute of Standards and Technology found that 88% of small business owners believe their organization is vulnerable to a cyberattack. To make matters worse, 81% of phishing attacks last year were aimed at SMBs, according to a CYREBRO analysis.
Adopting predictable cyber risk management strategies that involve people, process and technology can help mitigate cyber risk. Cyber risks cover a wide range of concerns. The truth of this unpredictability includes unprecedented or ever-changing events, stock market volatility, and major technological, economic, and social disruptions. All of this leads to cybersecurity risks, which are a growing concern for all businesses.
To address these concerns, an important distinction should be made between “compliance” and “absence of cyber risk”. What we do know is that many executives – especially in small and medium-sized businesses with limited resources – mistakenly assume that cybersecurity compliance is the same as security. Not so.
Compliance with SOC 2 and/or ISO 27001 depends on several factors and this process is difficult to control. Cyber risk management measures can make all the difference. However, even if a company has no need or desire for SOC 2 or ISO certification, it is important that they implement a robust cyber risk management program, starting with a comprehensive cyber risk assessment. Compliance is only part of a comprehensive security plan.
An integrated approach to cyber risk management looks like this: First, you need to understand your risk factors, work to mitigate them, and transfer residual risk. All of these tasks are performed simultaneously and continuously.
As already mentioned, the risk is transferred by taking out appropriate cyber insurance. Just because an organization has purchased cyber insurance does not necessarily mean that specific coverage is fully understood or that mitigation strategies are in place. Cyber insurance can be confusing and it helps if the insurance policy says “Please translate into English”. Many small businesses don’t believe they are at risk and will not experience a cyberattack.
According to Cybercrime magazine (yes, that’s a market big enough to support its own media exposure), 60% of small businesses close their doors within six months of being exposed to a cybercrime. That’s a sobering statistic. And here’s another thing: 80% of small businesses don’t have cyber insurance.
How do companies improve their chances of survival? The answer lies in improving the overall management of operational risk across the organization and recognizing that cyber risk is business risk.
In cyber risk management, we look at your organization’s assets, threats and vulnerabilities. What do you want to protect from loss? Who Wants to Steal or Destroy Your Wealth and Why? Where are your attack vectors and “unlocked doors”?
The end result of an overall assessment is your cumulative risk, which is the severity of the impact times the likelihood of an event. We then prioritize your risks and systematically reduce them. Every organization benefits from transferring the residual risk to cyber insurance.
Governance and Risk Management as well as Compliance or GRC is a set of processes in support of overall business objectives. A more holistic approach to GRC in general, and cyber risk management in particular, enables an organization to be more effective as a true business partner to small and medium-sized businesses, contributing responsibly to overall business goals.
Organizations benefit from an integrated cyber risk management approach that provides board and senior management with confidence that a GRC system is effective and performing. This is a shift towards a continuous improvement, proactive function rather than a reactive one.
By proactively managing GRC, an organization can gain clear insight into its vulnerabilities while knowing how to prioritize actions to mitigate cyber risk. This comprehensive approach to cyber risk management creates a competitive advantage and ultimately brings in more business by paving the way for more collaborative relationships between stakeholders.
Cyber risk is business risk. Fortunately, the tools and processes are in place to run a healthy and robust GRC strategy that enables success, not failure, in cyber risk management.
Jim Goldman is the CEO and co-founder of Trava Security and a former FBI cybercrime task force officer.