The theory of "risk management" would tell us risk assessment is about recognizing risks before they turn into reality and that risk management is about preventing or mitigating risk related losses. These concepts apply to cyber risks just as to any other form of risk.
IBM Security’s "Cost of a Data Breach Report"1 indicated that the average cost of a data breach during 2020 increased to $4.72 million for midsize organizations. Malicious cyber-attacks were responsible for 52% of those data breaches.
But Ransomware attacks—which frequently occur in conjunction with data breaches—have skyrocketed over the past several years and may represent the most significant threat today.
Cyber-criminals are not stopping there. One attack upon supply chains impacting the IT-company Kaseya2 made it clear that cyber-criminals intend to victimize businesses reliant upon third-party technology networks no matter how many companies or individuals are affected. Additionally, it is becoming increasingly clear that all forms of cyber risk are vulnerabilities for mid to small businesses, just as they are for larger and enterprise-sized companies.
This should not be new to you. I have been writing about cyber risks since 2017. In an article from June of 2018, I discussed my experience while teaching a cyber security class at "Scaling New Heights (SNH)" both that year and in 2017. As it was then, it is now. You must combine cyber-security solutions with cyber-risk insurance.
Let me start by discussing cyber-risk insurance. No, I’m not going to sell you a specific policy or insurance company. It has been almost five years since I taught that first class at SNH that caused people to rush out to one of the booths and seek cyber-risk insurance from the only company in the exhibit hall offering it.
At the time, cyber-risk insurance was a relatively new offering. Typically, it was an insurance rider that many insurance companies offered as an add-on to other coverages like General Liability.
Since then, cyber risk coverage has matured in terms of both product offering and availability. It is available within the insurance marketplace "on its own" from several companies, meaning you can purchase a cyber risk policy that stands apart from any other coverage. It does not need to be tied to another policy.
Today, cyber risk coverage has many options it initially did not offer. Originally, it pretty much covered only costs directly associated with data breaches. You now can add many response services like forensics, legal, breach response and incident-related expenses. In addition, many policies offer risk assessments to proactively identify potential weaknesses in your IT that might contribute to a data breach.
And with the mention of risk assessment as a possible service by the cyber risk insurance coverage provider, it brings me back to the topic of cyber-security solutions because risk assessment is always the first step in prevention.
Risk assessment involves the recognition of risks before they turn into reality. The way to reduce risks is to mitigate potential liabilities to prevent losses. While you can perform internal assessments all day long, the best review is an external one performed by an independent professional trained in cyber risk assessment.
This is one reason why—if you have a cyber risk insurance policy that offers risk assessment, take advantage it, mainly because most of these services are provided at no additional cost as part of your policy.
The entire purpose of the risk assessment is to determine potential liabilities areas in need of remediation. Although a proper risk assessment should provide a detailed list of areas needing attention by priority, it also should provide best practices that can either reinforce or supplement the training delivered to the personnel within the business.
Ongoing training, including risk simulation, is not only necessary; it’s a mandatory part of today’s cyber preparedness for every business. Every employee must be thoroughly familiar with the most common risks, identify them and deal with them if they are encountered.
But just as important, each employee must understand the importance of their role in preventing data breaches and how easy a minor slip in protocols can produce a significant data catastrophe.
Cyber defense must be a full-time commitment by every business based upon the growing connectivity of organizations (especially in light of the number of workers outside the office) and the rapid evolution of cyber risks. Therefore, proper cyber defense hardware, software and consulting services are essential to maintaining the security of the data of every business.
Footnotes, Acknowledgments and Disclosures:
1 Cost of a Data Breach Report, a companion report and webinar by IBM Security; November, 2021. "IBM" is a registered trademark of International Business Machines, an American multinational technology publicly traded corporation (NYSE: IBM) headquartered in Armonk, New York.
2 Source content and reference: "Updated Kaseya ransomware attack FAQ:: What we know now (Here is everything you need to know.)" by Charlie Osborne, Contributor; Published by ZDNet on July 23, 2021.
"ZDNet" is a business technology news website owned and operated by Red Ventures, an American media company held by Red Ventures Holdco LP, headquartered in Indian Land, South Carolina.
Kaseya (or Kaseya.com as maybe referenced herein) are registered trademarks of Kaseya Limited, is a privately held multi-national information technology company with international headquarters in Dublin, Ireland.
Other trade names, if any, herein, refer to registered trademark products held by their respective owners. They are referenced for informational and educational purposes only.
This is an editorial feature, not sponsored content. The vendor has not paid Insightful Accountant or the author remuneration of any type to be included within this feature. The article is provided solely for informational and educational purposes.