by Hank Berkley
Contributing editor

Every aspect of business has risks associated with it. Whether it is credit risk or a threat of fire, organizations generally understand those risks and have some idea of how to measure them. They take steps to reduce the identified risks by implementing safety processes and financial controls. Cyber risks need to be treated in the same way as “traditional” perils. That means you may not be able to eliminate risk, but you can take actions to mitigate them. To minimize risk, you first have to recognize risk.

Where do you start when building cyber controls? We see companies that believe they can outsource cyber risk by purchasing cyber insurance. If transferring risk was as simple as that, why would your buildings have sprinklers and fire extinguishers? Why would you not just buy fire insurance and business interruption coverage? The answer is that it is much better to prevent a problem than to clean up after it. Of course, for many there are also regulatory requirements. Those same agencies that require sprinklers are today imposing minimum cyber protections. (We will talk about insurance in more detail in the future.)

Cyber risk is like other risks in that you can predict some of them and take steps to protect yourself, but you can’t anticipate all possible exposures. Some cyber risks are common to all businesses. For example, we all need to worry if an employee makes a wire transfer to a Nigerian prince. Other risks are specific to your business and require knowledge of your operation to identify them. Knowing this leads to our first bit of advice. Make cyber security a part of everyone’s job.

A generation ago organizations introduced the concept of safety awareness, giving everyone the responsibility to improve the physical environment. Companies found that a broader awareness of safety was rewarded with improved outcomes. The idea was that those who work in a business have a good perspective of the dangers they face. “If you see something, say something!” The intent was not to make everyone a safety inspector, but rather to educate and make people more aware of dangers.

Cyber security awareness today is like Safety appreciation. When done right, cyber awareness is a significant first level of protection. More than 60% of computer security breaches originate with an employee’s mistaken action. 20% of breaches arise from stolen credentials such as passwords and another 15% stem from employees responding to email phishing campaigns. Many issues arise from non-technical employees who are not as aware of cyber threats.

“Wiring” your business for cyber security takes some time and thought, but it is often the most cost-effective step you can take if it is done well. Employees are not going to protect you from sophisticated cyber criminals any more than a lock on your front door will stop professional thieves. But having them actively participate reduces (but, doesn’t eliminate!) many simple, but potentially costly threats.
The next step you should take is to establish a risk register. More about that next week.