CYBER RISK MITIGATION
As businesses increase the amount of information that is stored digitally, the protection of that information is of critical concern.
Cyber risk mitigation is the component of a company’s overall risk management strategy that addresses the risk to its reputation, sales and finances associated with storing information electronically versus on paper.
Chief Risk Officers (CRO)
For all but the very smallest firms, one of the company’s executives should be fulfilling the role of Chief Risk Officer (CRO). For smaller companies, this is a part-time job and the person performing in this role is likely not a professional risk management professional. To fill this “gap,” consultants can play an effective role in assisting the executive, acting as the CRO in creating and managing the company’s cyber risk mitigation strategy.
Creating an effective cyber risk management program for your company includes:
- Identifying the cyber crown jewels – this is what a thief is going to try and steal. Depending on the type of company, the cyber crown jewels could be financial records, trade secrets, credit card records, health care or other sensitive information.
- Determining access requirements and controls by role of user. Groups to consider include employees, contractors, vendors, customers, regulators and the public.
- Creating and delivering user training regarding the protection of corporate information.
- Determining audit requirements and review process and assign the individual responsible for reviews.
- Creating or reviewing information backup, disaster recovery and business continuity plans. In some cyber-attacks, the information is silently stolen. In others, the systems are compromised and must be shut down and rebuilt from known good backups.
- Creating or reviewing cyber breach public relations strategy. Some firms (see link to Jimmy Johns breach below) believe a good PR strategy is silence, denial and as a last resort, confirmation. Assume that your company will be attacked in the social media and have a response plan ready.
The list above contains samples and is not complete. For example, do you need to deal with regulatory agencies? Many times businesses find out about breaches when the FBI comes to visit. Do you have a plan for what happens when the FBI knocks on your door and seizes all of your computers as evidence?
Click here to download a questionnaire to determine your company’s level of risk (Coming Soon).
Even large, well prepared companies have cyber risk events. Firms with an effective cyber-risk mitigation strategy and plan will be much more likely to effectively deal with a cyber-incident with the least pain and damage.