Believe it or not, not all information security professionals communicate the following pieces of advice effectively.
As a result, business executives are sometimes surprised by the following:
1. When you report cyber incidents to your insurance company, it doesn’t raise your rates: Rates only go up when you make a claim! Rate increases because of reporting an incident are something a lot of people believe, making organizations reluctant to report incidents, which in turn can result in difficulty with future claims. So, remember – it’s important to report cyber incidents to insurance, even if it’s contained and you don’t actually need to make a claim. This can help if a future claim traces back to a previous incident: If you didn’t at report the original incident, the future claim might be denied. Also, ensure your business has enough coverage to get you through (we’ve got a free tool to help).
2. Some security risks don’t need to be fixed: After a risk assessment, we’ll rank identified risks and make strategy recommendations for an organization to achieve it’s risk profile goal. Risks that have a low likelihood of occurring and would have a low impact on the business if they did occur, may get a recommendation of simply “accept”, rather than a management measure such as mitigate, transfer, or avoid. In other words, it may be such a low risk, it’s not worth investing resources to deal with it. Here’s an explanation of our risk calculations, as well as other recommendations we include in assessments.
3. Software developers don’t always know how to properly secure their own software: Almost a third of software developers don’t know how to secure their own software, according to this article. That should be a big red flag to executives – is the software or cloud service your business depends on every day, actually secure? Does it handle your confidential information properly? Vendor risk assessments help to determine how much risk exists with your business-critical software applications and services.
4. It pays to stay informed by news and current events about security: Business risk can often be created indirectly by 3rd-party security incidents. It’s important for executives to stay on top of what’s happening in the world of security so that they can identify when you have risks created by someone else’s problems. A good example of this dependency was the MOVEit breach. Even if your organization didn’t use MOVEit, your vendors and suppliers might have, and therefore put your information at risk indirectly. This scenario is known in the security industry as supply-chain risk. Avoid it by qualifying, selecting, and managing vendors and other 3rd-parties based on the risk they pose to your company.
Businesses can anticipate threats and adapt much more effectively when security is managed as a whole, not just with the “knobs and dials” of cyber security. This approach includes technical protection (commonly known as cyber security), administrative policies and procedures, and physical security. All are key in managing risk, allowing organizations to stay ahead of criminals trying to convert someone else’s information into money in their pocket.
–
Birmingham Consulting. For when the storm comes.