Why we need to treat business risk properly!

Risk Management – Today’s Balancing act is all about Business Risk

Why is it that until you are knee deep in a full blown cyber event, it is still just someone elses problem.


Until you have limited or no access to business resources, do we still think that it is someone elses problem.

When does it become a business problem?

When does it become something that YOU, as a manager, C level executive or board member, have to think about.

I have been asking that for years.

Risk management and reducing the impact of residual risk has been around for centuries.   We have always looked at natural disasters as a risk to the business.

When it comes to the digital components, the ones we use to do business, the ones that have a critical impact on every organisation, the ones we use to invoice, communicate and socialise with our clients and staff, why do we fail to see the impact.

We get blinders, a narrow viewpoint, we fail to see the risk that the digital world can deliver to the organisation.

We fail to see the significance of the risks that comes from our digital world.

If we do see it, it has to be an ICT problem.

We are talking about computers and data, therefore it has to be an ICT issue.

This is definitely one of the strangest attitudes in today’s world.

We can no longer treat business risk with the same attitude we have always done.

Today’s Business risk is a whole of business problem and needs a whole of business approach to manage it.

No matter the risk, all risk has an impact on your organisation.   All risk has to be treated.

No matter the system involved.

Business risk has to be treated by one of the following treatments.   Mitigate, accept, transfer or reduce,

Before you can apply a treatment to it you first need to acknowledge the risk itself.

To do that you have to think them through.

Every little thing that could and would impact the organisation and how the organisation will react needs to be processed.

This includes risks to reputation, data loss, finances as well as the impact of ransomware.

Have you taken all of your risks into account.

Doing X things to protect your organisation is not the best cybersecurity strategy.

It is no longer a case of do these ‘X’ number of things and your business, organisation or self will be secure from a cyber event.

We have all seen, read or been told that you need to do this or don’t do that (I even wrote an article recently on just that) to fix your cybersecurity.

This attitude is wrong.

All it does is focus you on the ‘X’ number of things that are considered important, it does not fix the overall problem of digital protection, cybersecurity and protecting the organisation’s data against a cyber event.

Today’s threat market is all about two things:

Risk management

Managing the risk to your organisation is totally dependent on the organisation.   Get it wrong though and the organisation is open to litigation, compliance and reputation challenges.

Defining the risk and then mitigating, reducing or ignoring the risk depending on your organisations risk posture.

That risk posture has to have a basis in fact.   Every organisation is different, therefore every organisations risk posture will be different.

“She’ll be right”, “it will never happen to us” and “we have nothing worth stealing” are stupid risk postures and should be avoided at all costs.

Lets take patching – you can not implement a patching process if you have not looked at the associated risk of applying, waiting or ignoring a patch to software or operating systems.

Some patches are critical and the risk to the organisation outweighs the impact of a cyber event.   These need to be applied immediately.

Other patches could mitigate some risks to a system and can be applied as part of the patch process.    We recommend within 15 days.

There are also patches out that would have minimal impact on a system.   If the system was not patched and it was compromised they would not get access to critical data.   These can be applied based on the organisations risk posture.

Looking at the overall risk to an organisation will drive the security around that organisation and the underlying risk associated with a breach can be discussed as part of the overall business risk assessment.

Using frameworks

When used correctly a framework increase the awareness and security around an organisation.

We use NIST, but any framework will do.

A framework allows an organisation to take the blinkers off and focus on the organisation as a whole.

It is a holistic approach to protecting the organisation from a cyber event because it looks at a number of related but often overlooked,  important features of digital and cyber protection.

Each of the components of the framework allows the organisation to implement change in a managed and focused way.

It allows an organisation to improve security, with each change benefiting the organisation.

It is a process, not a knee jerk reaction to the next threat.

Business security is not about implementing a decent firewall, installing end point protection and sitting back because you think you are safe.

Business security is about education, policies and procedures, business continuity, visibility and viability.

This solution cannot be achieved through reaction, it needs to be a proactive process embraces by all members of the organisation.

Why do i need a Managed Security provider?

Why are we the weakest link in cybersecurity – we just don’t care!

The threats are NOT imaginary.

The threats are real!

The visibility of the wannacry attack actually highlights how vulnerable the world is with its reliance on all things digital

Zero day exploits and known vulnerabilities are available for every operating system, including IOT devices.

 Anything with a digital signature can be hacked.

Where it all breaks down is that in most cases there is a human who is attached to the device.

A human who has the ability to veto all security measures in their hurry to do something, anything with the device.

How often have we seen the “updates available” on our server, laptop, smart device or application and have been in too much of a hurry to apply them.

In most cases it would take 10 minutes out of our busy daily schedule, 10 minutes where we have to find something else to do – not screen related.

cybersecurity We are so busy that we cannot find that 10 minutes?

Most systems are now being designed to make it obvious, and will persistently tell us that we need to update.

What do we do?

We complain that we do not have enough time.   We are too busy.   We cannot stop for that brief space of time to increase our security.

The SMB patch for wannacry has been available since march, that is almost 8 weeks before the cryptovirus attack, but the impact was significant because we were too busy.

I thought that we had learned from the “code red” attack in the early 2000’s, that patching is a very important part of digital security, obviously not!

“Code Red” crippled the internet because of un patched SQL servers, the patch had been available for 3 months prior to the release of the virus.

Most of the problems with security in the digital world is US.

We are too focused on our tools to see the underlying features that have actually been put in place to protect us.

There is a quote I often use in my training “THERE IS NO PATCH FOR HUMAN STUPIDITY”

 We are the weakest link in cybersecurity, in the digital chain where we should be the strongest.

In most cases we are very stupid!

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Why do i need a Managed Security provider?

Compliance is only as good as the people doing the audit.

There are two real noticeable ways of doing compliance, when it comes to business security.
The first is looking at the audit requirements and only doing what is required to meet that audit.
If you change a part of the compliance requirements you then fail the audit.
The second is to actually do the process correctly.
Making the system as secure as possible within the constraints of finances, time and capability.
Using a decent business security framework (mine or someone else’s) is the first step in building a secure environment for your technology, money, intellectual property, staff and clients.
The impact of a failed compliance audit can cause a number of issues for any size business.   The biggest one is that your organisation is vulnerable to a cyber event.
The impact of a cyber event on the owners and managers of small business, on C level executives of larger organisations and on sitting board members can be be devistating in a number of ways.
Loss of revenue, falling stock prices, fines and legal suits to name a few.   They can have a significant impact on business capability as well as at an individual level.
The right compliance audit can show that you have done everything that is possible to protect the organisation from cyber crime and still be compromised.

That is the nature of the cyber beast.

We are all playing catch up.
We are at the beck and call of the cyber criminal.
So protecting the organisation at a strategic and tactical focus stops the knee jerk reactions of the events that we all hear about in the news and on the internet.
This is why a framework is so important.
For instance, the newest version of a ransomware variant is targeting a zero day exploit that was patched a couple of weeks ago.
This would not have any significant impact on an organisation who has a software patching policy in place and active.   The patch for that exploit would have been applied in the patching process.  Reducing the risk of that vulnerability being exploited.
Another example is 2 factor authentication for VPN log in.   Two factor authentication works on the principle of username and password and a third component.
The third component only comes into play if the first two are correct.  The third component can be an SMS to a phone or a 6 digit number on a fob.  Put in the information and you have access.
Increased security, auditable and easy to use.   It also increases the security of your business.
For more information on compliance sign up for our business security intensive using the NIST framework at a location near you.

A business security framework for the cyber insured

The introduction and subsequent uptake of insurance focusing on “cyber” have shown that the insurance industry is serious about protecting the assets of businesses all over the world.
The level of protection is dependent on the policy, your business requirements and also how much protection you need for your business.
Insurance without looking at increased protection however, will not work.  A breach would / could put you in the situation where you are not covered.
If you do not get your business security and protection correct then you will be in a situation where a cyber crime against your business will not be covered under your insurance policy
Here is a basic framework that aligns with most cyber insurance policies.
  1. Technology.  There are a number of areas where technology investment is paramount.   Here are a few
    • Router, modem, firewall – get the best you can afford.   Definitely get rid of the system supplied by the ISP or the shop bought one from a home retail shop.  As a level of protection they will not protect your organisation.   Minimal spend should be around $600 for a small business up to more than $20k for a large organisation
    • End point protection – 2 things about end point protection, they will catch malware and suspect applications because, like us the hackers are inherently lazy and use old known code.   The second is doing a regular scan, this will allow systems to catch up with malware that has been recently discovered.
    • Wifi – access to your wifi allows access to your systems, whether it is set up to have access or not.   Once again spend a little and invest in the best you can afford.
    • Encryption – if you are collecting staff, user, client and financial information then it need to be protected from ease dropping with encryption.   Encryption needs to focus on data at rest, where and when it is stored as well as in transit.
    • Patching and updates – operating systems – do it, applications – do it, websites – do it, tablets and phones – do it.   Absolutely critical to protecting anything digital in today’s world.
    • Up to date operating systems and applications – if you are using old versions of MAcOS, windows XP, android – replace them ASAP
  2. Management.

    • Policies procedures and processes – policies are very important as they tell your staff where you stand on passwords, internet usage, email usage, education and training.   Make sure everyone reads and understands them.   Procedures allow you to specify how things are done so that anyone can walk in and do a task without supervision.   Processes will also allow systems inside the organisation to be implemented as a standard
    • Audit and reporting – it is no use collecting information from the system if no one is going to look at it.   You need to implement a standard process that audits the information and reports it to management.
    • Logging and alerts – all systems have some level of logging.  In a small organisation daily checks of individual logs can be done, in larger organisations there is a need for a central location and a system that alerts staff to issues coming from firewalls, intrusion detection or AV.
    • Password management – in today’s world passwords are your passport to the digital world so they have to have 3 components – must be more than 10 characters, must be unique for each location and must be complex, having letters, numbers, capitals and symbols.
    • Education and training – there is a 300% ROI on education in an organisation.   Your staff are the first and last line of defence, when the technology fails an educated user will be the last line of defense
  3. Sustainability
    • Disaster recovery – when it alls goes to custard (and it will) you better have a way back.   This is what disaster recovery is all about.   It doesn’t matter if it is physical (flood, fire), digital (cyryptovirus, failed hard drive) everything that is stored digitally is vulnerable.
    • Risk management – you need to way up the risks of a issue impacting your organisation.   The higher the risk the more you need to mitigate it.   If you use the NIST framework to manage your risk and exposure it will benefit the process of risk management
    • Backups – everything that is important need to have a backup made of it.   If it is business critical then the risk of something happening needs to be weighed up against mitigation and cost.   Virtual imaging backup software is a huge solution to this priblem
    • Business continuity – what happens if the district where you office is locked down and noone can access the office.  What contigencies have yo got in place.
  4. Compliance – if you are collecting PII (personal identification information) then you will have a compliance requirement.   If you are collecting financial information then PCI DSS compliance requirements come into the situation as well
 So insurance is all very well but unless your organisation invests in the additional components of your cyber protection you may find that the cryptovirus that has encrypted all of your data is not covered.
If you want to know more get my book or ebook
Roger Smith is the CEO of R & I ICT Consulting Services,(http://rniconsulting.com.au), Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime (http://www.amazon.com.au/CyberCrime-Clear-Present-Danger-Security-ebook/dp/B00LEJTN5Y), author of the Digital Security Toolbox (http://www.rogersmith.com.au/roger/toolbox/) and the SME digital security framework (http://smesecurityframework.com.au/csb/).   He is a Speaker (http://www.rogersmith.com.au/roger/roger-smith/), Author, Teacher and educator (http://securitypolicytraining.com.au/cybersecurity-awareness-introduction/) on cybercrime and how to protect yourself from the digital world.