You might think that you have adequate cybersecurity protocols in place and your practices are current to meet all potential threats, but this could be a false sense of security. In this article, we’ll recap our monthly webinar and explain why you need to perform a cyber risk assessment.
Introduction to the Webinar
During the hour-long webinar, speaker Mohan Shamachar, an expert in compliance frameworks for cybersecurity and data protection explains why risk assessments are crucial.
If you are wondering why RSI Security is qualified to host this webinar the answer is simple.
Headquartered in San Diego, CA with offices in LA and Portland, RSI Security is the nation’s premier managed IT security and compliance advisory provider. The company employs 50 individuals and has over 400 qualified consultants. Founded in 2008, the RSI Security team are experts at guiding their clients through the necessary steps it takes to meet compliance standards and ensure their cybersecurity practices are up-to-date.
Why You Need to Perform a Cyber Risk Assessment
Risk is the keyword throughout the webinar and in all of the ways it impacts your company. One example applies to Microsoft, a company most consumers are familiar with and use their products expecting that there aren’t any risks inherent in their products and services.
The NY Times financial section disclosed that the National Security Agency (NSA) had alerted Microsoft to a security vulnerability. Another example is from Switzerland where investors, consumers, and suppliers would have more transparency in the parent company’s cybersecurity practices. This comes after a report that companies weren’t disclosing their cyber-attack risks.
E-mobility is another risk that is covered and it discusses why it’s considered the ‘wild west’ of cybersecurity. One time passwords and access codes aren’t always as secure as a provider might think. It also covers another interesting aspect, the potential hacking of electric vehicles.
It’s not as difficult as you might think to have your vehicle hijacked by an unseen driver. Imagine driving down the road and suddenly you’re not in control. It is a real threat that could put lives in danger unless the security around these systems is to strengthen. The only way to pinpoint the weaknesses in the system is by performing a risk assessment.
Artificial Intelligence (AI) is improving healthcare but it also comes with risks from hackers accessing the system. Everything from patient information to their treatment is potentially compromised unless the risks are mitigated.
What is a Risk
How do businesses know what cyber risk is? The brief definition is a risk or exposure to,
- Potential data loss
- Injury to a person though lost or stolen data
Along with other adverse effects. These effects can vary depending on the severity of the risk, from financial to the stress of wondering what comes next.
Risks can be further divided into known and uncertain. If the risk is known, it is measurable and manageable, or if it’s uncertain, it is beyond your control or unmanageable. One example used during the webinar was COVID-19. Is it a risk or uncertainty?
The question about COVID-19 helps to illustrate why a risk assessment is necessary. The question cannot be answered unless all variables are accounted for.
Types of Risk
There are different types of risks but all or some can affect your company. You need to understand what risks apply to the organization before you can implement effective security controls.
The types of risks are as follows, and each one builds off the other.
- Break down of machinery
- Increase in product defects
- The plant is damaged/destroyed by weather
- Inventory becomes obsolete
Product Market Risks
- Loss of customers
- Loss of products to sell
- Increased competition
- A decrease in product demand
- Change in costs
- Change in exchange rates
- Compliance violation
- Default on loans/debt
- Product liability
- Trade charges are restrained
- Lawsuits from shareholders
- Discrimination lawsuits by employees
- Antitrust enforcement becomes stricter
- Environmental laws change
- Increase in income taxes
- Industrial revenue bonds end
- Increase in sales tax
- Labor strikes
- Increase in input prices
- Loss of essential employees
- Supplier fails to deliver
As Mohan makes clear, the risks for not performing a cybersecurity assessment are too high to ignore. You can also see the domino effect of how each risk affects another.
Does Your Company Take Risk Assessments
An informal poll was taken during the webinar asking if your company conducted risk assessments. The answers may be surprising to some, while others may be relying on a global threat chart that indicated global warming and climate change were higher risks than a potential data breach.
If your company is relying on this 2020 global threat chart, you aren’t alone. Some responded to the poll with uncertainty, while others were relying on their compliance with industry requirements to mitigate their risks. It is a false sense of security if you believe that compliance is enough.
Several compliance laws require annual risk assessments that include the GDPR, PCI DSS, HIPAA, GLBA, among others. It is not enough to relax after compliance certification. Cyber threats are constantly evolving and so must your security protocols.
The only way to identify a weakness in the system is to perform a cyber risk assessment.
Risk Assessment Model
The risk assessment model is a simple equation. It takes the threat, multiplies by the vulnerability and impact to equal the risk.
The risk is determined b the,
- Internal and external threats
- Organization of the system’s vulnerabilities
- Current measures in place to prevent breaches
- Likelihood of realizing the threat
- Impact on the business
Since you already know that a cybersecurity risk can affect every aspect of the business, it only makes sense that you assess the vulnerabilities in your systems and networks at least once a year.
Key Notes From the Webinar
A brief summary of the webinar is as follows,
- All companies should have a risk management team that consists of IT personnel, senior management, HR, along with data owners and business processes.
- The scope of the system and networks needs to be defined.
- All locations where data enters and leaves should be identified. It includes processes, technologies, assets, and employees.
- A current profile of risks must be created.
- Perform a risk analysis that defines strategies to reduce threats.
- Monitor improvements and changes in controls and systems to meet the changing threat landscape.
The key point made throughout the webinar is that organizations, regardless of size, need to perform regular cyber risk assessments. Even if your company is currently in compliance with industry cybersecurity laws, it does not mean that you’re automatically protected from cyber threats.
There are constant risks and they’re continually evolving, which means your systems and networks can be vulnerable. If you do not have the staff or time to conduct a risk assessment yourself, the experts at RSI Security are here to help. Contact them today if you have questions or want to schedule a free consultation.