One nagging idea that gets a lot of play in the minds of our new customers is that all their cyber risks have to be controlled. These folks feel the need to eliminate every cyber risk they can see. Ransomware, malware-laced USB thumb drives on the ground in the parking lot, sensitive data being uploaded to employee’s personal cloud storage, and so forth.
Something else we commonly see is a weary acceptance of tough cyber risks. This happens after they feel overwhelmed by the frustration of coming up with just the right control for every cyber risk on their radar.
Just how does a mid-sized company control everything with a limited budget? They can’t, of course. The key is knowing you have options beyond control and acceptance.
What really good cyber risk executives know is there are four distinct strategies available to deal with any cyber risks. You can use the acronym ACAT to remember them:
- A = Avoid doing the risky thing. Why collect social security numbers if you don’t really need them?
- C = Control the risk. Installing a reliable software package to neutralize malware on thumb drives is a classic example.
- A = Accept risks. You might do this when the cost of risk reduction exceeds the cost of the asset. Or, when you have no more budget.
- T = Transfer the risk to someone else. You might buy cyber insurance. Or find a specialist to perform a risky activity, such as contracting with an outside vendor to process credit card transactions.
What’s powerful is you could combine any of these options. For example, you can control the risk of ransomware by investing in great data backup and restore capabilities and buy cyber insurance to transfer the excessive costs of recovering from a successful ransomware attack.
If you want to dig in a little deeper on this topic, watch this 4-minute video from my LinkedIn Learning course Implementing an Information Security Program.
Cyber Risk Opportunities helps middle market companies avoid costly outages and data breaches by prioritizing and reducing your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.
[The above article originally appeared on my LinkedIn page here.]