Are You Taking on More Risk Than Necessary?

Published on 15th July 2021 Author: Rob Black

On a recent Saturday morning, my wife, Rachel, sent me to pick up a birthday cake (and cupcakes) for my soon-to-be-8-year-old daughter’s party.

Did she direct me to the local supermarket? Please, you must be joking.

No, for an occasion of this significance, she sent me to Donna’s Cakes in West Roxbury, a bakery known throughout the land for its beautiful and delicious treats.

But that’s not what I love most about this place. My favorite part is that walking into Donna’s is like being transported back to 1986.

There’s a big, glass, front counter. There are baked goods of all kinds lined up along the wall. There are apron-wearing employees answering actual, ringing telephones. The place is so retro that I would not have been surprised to see a parachute pants-wearing MC Hammer sitting in the corner.

But above all else, what makes Donna’s totally 80s is all the paper; there’s not a computer to be seen. Yes, they have a web site. But you have to call to place an order, at which point an employee writes it on a slip.

Does all this paper make the bakery less efficient than it might otherwise be? Probably. But there is one big advantage: Donna’s computer-avoidance strategy has made it one hundred percent ransomware-proof.

Risk Management Comes in Four Flavors

For each instance of risk, you have four possible options: mitigate, transfer, accept, and avoid.

Consider the example of a Hollywood actress filming a scene in which she needs to ride a motorcycle…

She can mitigate the risk … by wearing a helmet.

She can transfer the risk … by using a stuntwoman.

She can accept the risk … by taking her chances.

She can avoid the risk … by not making action movies in the first place.

Your company’s cybersecurity works the same way: mitigate (e.g., implement controls), transfer (e.g., purchase insurance), accept (do nothing), or avoid entirely by closing certain business lines or stopping certain behaviors.

Each of these approaches has its pros and cons. But what’s maybe most interesting is that companies rarely think about avoidance as a viable cybersecurity option. And while I’m not suggesting you copy Donna’s approach, “managing risk” implies some level of acceptance. Avoidance means sidestepping risk entirely.

For example, we had a client that was holding on to several years’ worth of student applications of people that had previously applied to its programs. By following our simple suggestion to delete the associated social security numbers of old applicants, it took that particular organizational risk off the table.

Actions Worth Taking

There are all kinds of steps you could take to avoid risk. Among our clients, the greatest opportunity tends to lie in these three measures:

1. Inventory your assets.

The first step in removing risk is to identify where your vulnerabilities lie. Take time to catalog all the data that you collect and store, as well as the procedures used to capture them. From there, you can make explicit, informed decisions to determine if the risk is justified by an appropriate level of revenue or opportunity.

Do you really need social security numbers and birthdays of customers to deliver your services? Is there a business reason for retaining job applicant information indefinitely? What internal processes are in place to protect credit card data, email addresses, passwords, etc.?

The point is, data you don’t have is data that cannot be compromised. Delete what you don’t need.

2. Close marginal businesses or product lines.

Maybe your company made a small acquisition of a business that never took off. Maybe you have a legacy product into which you stopped investing and updating.

In these cases and others like them, while the revenue generated may be flat (or even nonexistent), they are not harmless. Keeping these nonperformers in your portfolio but no longer maintaining them or investing in upgrades and patches adds to your cybersecurity risk with each passing day.

Close them down.

3. Vendors.

Many companies have dozens if not hundreds of vendors. There is a good chance that some of these are adding more risk than they are worth.

For example, if you switched most of your IT work from one vendor to another but kept the old provider in the mix for a few odds and ends, does the old vendor still have access to everything?

At the start of a relationship, most companies are careful about the information and access they share with a given vendor. Unfortunately, when that same vendor is no longer useful or necessary, there is much less attention paid to deleting confidential information and removing access.

Review your vendors and get rid of those you no longer need.

Conclusion

Business has risk. The only way to remove it entirely is to shut everything down.

That said, the option of risk avoidance is a viable one, but used all too infrequently by most companies.

I’m off to the bakery. I’ll let MC Hammer know that you send your regards.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).