According to a recent report on CNBC, 66% of small businesses have experienced a data breach in the last 12 months. The average cost of a data breach for a small business is $149,000 (App River), and a study by the National Institute of Standards and Technology found that 88% of small business owners believe their company is vulnerable to a cyberattack. To add insult to injury, according to an analysis by CYREBRO, 81% of phishing attacks last year targeted SMBs.
Having predictable cyber risk management strategies in place involving people, process, and technology can help mitigate cyber risk. Cyber risk covers a wide range of concerns. The truth about this unpredictability incorporates unprecedented or constantly changing events, stock market volatility, as well as major technological, economic and social disruptions. All of this leads to cybersecurity risks, which is a growing concern for all businesses.
To address these concerns, an important distinction must be made between “compliance” and “cyber-safety”. What we do know is that many business leaders – especially in small and medium-sized businesses with limited resources – tend to mistakenly assume that being cybersecurity compliant equals being secure. Not so.
SOC 2 and/or ISO 27001 compliance depends on several factors and this process is difficult to navigate. Having cyber risk management measures in place can make all the difference. Yet, even if a company does not need or want SOC 2 or ISO certification, it absolutely must have a robust cyber risk management program in place starting with a comprehensive cyber risk assessment. Compliance is only one part of a comprehensive security plan.
Taking an integrated approach to cyber risk management looks like this: you must first understand your risk factors, work to mitigate them, and transfer residual risk. All these tasks are performed simultaneously and continuously.
Risk transfer, as mentioned earlier, is implemented by taking out an appropriate cyber insurance policy. Just because an organization has purchased a cyber insurance policy does not necessarily mean that the specific coverage is fully understood or that mitigation strategies are in place. Cyber insurance can be confusing and it helps to have the policy cover “translated into English, please”. Many small businesses don’t think they’re at risk and won’t suffer a cyberattack.
According to Cybercrime magazine (yes, that’s a big enough market to support its own media publication), 60% of small businesses shut down within six months of a cybercrime. This is a sobering statistic. And here’s another one: 80% of small businesses don’t have cyber insurance.
How do companies improve their chances of survival? The answer is to improve overall operational risk management across their organization and understand that cyber risk is a business risk.
With cyber risk management, we examine your organization’s assets, threats and vulnerabilities. What are you trying to protect against loss? Who would want to steal or destroy your property and why? Where are your attack vectors and “unlocked doors”?
The bottom line of an overall assessment equals your cumulative risk, which is the severity of the impact multiplied by the probability of an event. We then prioritize your risks and mitigate them, systematically. Every organization benefits from the transfer of residual risk to a cyber insurance policy.
Governance, risk management and compliance, or GRC, is a series of processes to support overall organizational goals. Adopting a more holistic approach to GRC in general and cyber risk management in particular, enables an organization to be more effective as a true business partner to small and medium enterprises and as a responsible contributor to business objectives. global trade.
Organizations benefit from an integrated approach to managing cyber risk, providing assurance to the board and senior management that a GRC system is effective and high performing. It is an evolution towards a proactive function oriented towards continuous improvement instead of a reactive function.
By proactively managing GRC, an organization can produce clear information about its vulnerabilities while knowing how to prioritize actions to mitigate cyber risk. This comprehensive approach to cyber risk management gains a competitive edge and ultimately generates more business by paving the way for more collaborative relationships among stakeholders.
Cyber risk is a business risk. Fortunately, the tools and processes exist to guide a sound and robust GRC strategy, enabling success, instead of failure, in managing cyber risk.
Jim Goldman is CEO and co-founder of Trava Security and is a former FBI Cybercrime Task Force officer.