There are a limitless number of cyber risks facing you:
- Technology failures due to ransomware
- Natural disasters
- Silent cyber attackers (think espionage)
- Disgruntled employees
- Careless contractors, and so on
Not to mention all the other risks your business faces on a daily basis:
- Brand reputation
- Lead generation
- Accounts receivable
- Fulfillment, etc.
In my experience, when faced with the enormity of these risks, most people settle into a nice game of “whack-a-mole,” which they play every day.
[Click for Original Image Source]
A Very Satisfying Way to Go
With this approach, you get to play hero a lot (Thanks for saving my butt, Kip!).
Yep, just focus on the next thing that will kill you and then grab a coffee whenever there’s a break in the complaining.
But, that’s an expensive and reactionary strategy that leaves you vulnerable to larger, less frequent events.
For example, have you recently tested the ability of your data backup solution to restore data? No one will ask you to do that, but you might be surprised at how often backups fail when you really need them. Just ask Hollywood Presbyterian Medical Center or any other organization that paid ransom rather than restore from backup.
Another Easy Path
Another common approach is to focus on being compliant with whatever regime is hovering over you:
- PCI-DSS
- HIPAA
- SOC2
- DFARS
- GDPR
- (Insert next one here…)
Compliance Does Not Equal Cybersecurity!
Here’s a great example: The massive retailer Target was PCI compliant, but still got hacked in 2013 and lost control of 70 million credit and debit cards.
Target said the total cost of the data breach was $202 million as of May 2017.
Even when compliance is effective, you still won’t have covered all your cyber risks. What about your intellectual property? Or, your employee’s personally identifiable information? For every potential issue addressed by compliance, there are several others lurking just outside of regulation boundaries.
OK, What Should I Do?
You already know what I’m about to say next:
Neither “whack-a-mole” nor “compliance first” is the best way to put your limited budget against your unlimited cyber risks.
The question to ask yourself is “Where will I get the most cyber risk management benefit for the next dollar I spend?”
To answer that question, you must prioritize your spending. And that means doing the homework to know your top risks, in order.
The NIST Cybersecurity Framework
We suggest measuring yourself against the NIST Cybersecurity Framework. It’s a “consensus standard” that was created by actual cybersecurity practitioners from the private sector.
The framework is free for anyone to use and it’s focused on preventing data breaches and increasing cyber resilience across your entire organization. And, it can scale down or up depending on organizational size.
It’s expected to become the de-facto standard for the entire U.S. Government. Private industry adoption is at 30 percent and Gartner predicts that will rise to over 50 percent by 2020.
Cyber Risk Opportunities helps middle market companies avoid playing “whack-a-mole” by prioritizing and reducing your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.
Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.