We have company coming over Saturday night โ friends Iโve known for more than a decade.
To me, that means itโs not such a big deal; not a ton of planning or preparation required.
Maybe that seems about right to you. Of course, maybe thatโs also why you and I are not married to each other.
Because according to Rachel, there is plenty of work to be done. More specifically: โRob, your office has gotten out of control. You need to clean it before they arrive.โ
That is ridiculous.
Whatโs the harm in a few (dozen) magazines on the floor, a small (gigantic) pile of unopened junk mail on my desk, and a tidy (tangled mess) of computer wires and connectors sitting on counter?
Okay, I guess when you put it that way, Rachel does have a point: Iโm probably not the worldโs neatest person. And yes, an important document could get lost or, even worse, someone could trip over all this junk and get hurt.
Pay Me Now or Pay Me Later
In cybersecurity, we refer to this kind of thing as risk management: Identifying, assessing, and mitigating potential threats, thereby safeguarding assets, ensuring operational continuity, and supporting long-term profitability and growth.
In other words, taking steps now to avoid problems in the future.
Does it take some time and effort? Absolutely. But not nearly as much time and effort โ not to mention the damage that can result โ by not doing it.
Risk Management Comes in Four Flavors
For each instance of risk, you have four possible options: mitigate, transfer, accept, and avoid.
Consider the example of a Hollywood actress filming a scene in which she needs to ride a motorcycleโฆ
She can mitigate the risk โฆ by wearing a helmet.
She can transfer the risk โฆ by using a stuntwoman.
She can accept the risk โฆ by taking her chances.
She can avoid the risk โฆ by not making action movies in the first place.
Your companyโs cybersecurity works the same way: mitigate (e.g., implement controls), transfer (e.g., purchase insurance), accept (do nothing), or avoid entirely by closing certain business lines or stopping certain behaviors.
When it comes to finance, sales, HR, and many other business functions, most companies are fairly diligent about risk management.
Physical hazards in particular are well covered. Nobody says, โWe havenโt had a fire yet so we are probably fine.โ Rather, they invest in things like fire extinguishers, fire escapes, fire-safety training, and fire inspections.
But cybersecurity? Not so much. Instead, this is often left to wishful thinking and crossed fingers.
Thereโs a much better way. More specifically, here are three clear-eyed, proactive steps you can take to figure out where you stand and improve your risk managementโฆ
#1. Inventory your assets.
To understand what you need to protect, you first need to know what you have!
Start with your data. What are you storing, and do you actually need all of it? Hanging on to decade-old customer records or background checks from long gone employees adds unnecessary risk.
Next, look at your physical infrastructure. Do you have an accurate count of all company devices? Do you know where every laptop, phone, or tablet is right now?
Then, review your software. Do you have a complete and up-to-date list of every app, platform, or cloud service your team uses (including the ones individuals signed up for without telling IT)?
You canโt secure what you are unaware of.
#2. Think through your controls.
I bet you thought I was going to mention Multi-Factor Authentication for the thousandth time.
Well, I wasnโt. But now that youโve brought it up, it is pretty important.
Beyond that, think through your controls on your devices, controls in the cloud, controls on your email, controls for your physical infrastructure, etc.
Iโm sure youโve got some things in place. But Iโm also willing to bet there are gaps (some significant) within your business (shared passwords, admin level control for too many people, former employees who still have network access, etc.).
Okay, nowโฆ
#3. Figure out your risk tolerance.
You want to draw a line where acceptable risk ends and unacceptable exposure begins. There are few universal truths; every business is different.
How much disruption or downtime could you tolerate?
What level of loss would materially harm your business?
How big a financial hit would destroy your company?
These are not easy questions to answer.
But considering them โ as possible future events, not just vague fears โ points you towards determining the steps you should take now to manage risk intelligently.
Speaking of whichโฆ
We have a new product โ a product that provides risk assessments quickly and at an affordable price. (Blane, our Marketing Manager, told me to say it that way.)
Itโs called QuantiShield โ The Rapid Risk Assessment Program. It delivers both a customized risk assessment and a prioritized list of recommendations.
Is it an app? Kind of. You log in and answer questions.
Is it consulting? Kind of. A human cybersecurity expert talks to you and delivers the results.
And, because we have automated a significant portion of the time-consuming, information-gathering steps, we can deliver it to you in just a few weeks.
Youโll end up with a clear and specific understanding of your cybersecurity risk and a plan to fix your biggest weaknesses โ all with minimal investment. (Blane told me to say that, too.)
Clean It Up โฆ Before It Bites You
Messy offices and messy cybersecurity have a lot in common.
And while only one will get you in trouble at home, both have the potential for causing serious damage if ignored.
Clean them up now, or be prepared to deal with the consequences later.
Gotta run. I just saw something move under the pile of papers in the corner and I think one of my kids may be under there.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
