When it comes to cybersecurity in business, you need to consider your employees, tech, and processes.
Cybersecurity experts say employees are the weakest link when it comes to company security. By itself, that statement is a bit misleading—it lays too much blame solely on employees. In fact, when it comes to a thorough cybersecurity risk assessment, there are three main factors that need to work effectively in conjunction to lower the risk of hacks and data breaches: people, processes, and technology.
Before we touch on each of these topics, let’s look at what’s at stake.
The shocking stats of cybersecurity incidents
- Business interruption, such as unavailability of critical systems or disruption of customer-facing services, accounts for 60% of financial losses from cyber incidents.
- The average financial cost to an organization’s department due to downtime is $590,000.
- 26% of businesses say that downtime due to a cyberattack has resulted in damage to the brand reputation.
- The most expensive malicious data breaches are those that are the result of compromised or stolen credentials, costing nearly $1 million more than the average data breach ($3.86 million).
- The average ransomware payout for a ransomware event was up drastically in Q4 of 2020—more than $233,000—compared to less than $10,000 in Q3 of 2018.
By taking into account the size of your company, the likelihood of cybersecurity incidents like ransomware attacks, and your company’s investment in security tech, you can identify which aspect of your business needs more attention. Below we provide a risk assessment checklist and the common snares companies encounter when it comes to people, processes, and technology.
Our cybersecurity risk assessment checklists
There are three main factors that allow you to foresee how a cyberattack may impact your business:
Calculate impact from employees losing access to IT resources during an incident, using data such as:
- Number of employees
- How many countries you’re doing business in
- Annual company turnover
- Number of high-impact employees and salary for each
- Number of medium-impact employees and salary for each
- Number of low-impact employees and salary for each
- Number of workdays lost per incident
Estimate impact from each threat (e.g., ransomware) based on:
- Probability of occurrence
- Turnover days lost
- Productivity days lost
- Chance of losing market positioning
- Workdays lost for each of the three categories of impacted users
- Impact on brand reputation
Calculate cost of each cybersecurity solution that can help prevent each of the threats, based on:
- Yearly cost of the security technology
- Cost of implementation (internal costs and costs of outside experts)
- Cost of maintenance and management
Understanding the cybersecurity risks
Now that you have a better idea of your business’s risk factors, let’s delve deeper into how people, processes, and tech contribute to the overall cybersecurity of your company.
Inattentive habits and behaviors, poor security culture, and human error are all factors that contribute to what security practitioners like to describe as the “weakest link” in any organization. Whether employees are careless or the target of phishing campaigns, they create weaknesses that cybercriminals are quick to exploit. For the most part, these are preventable risks that you can mitigate with a combination of security tools and practices.
A strong security culture is fundamental. Employees and leaders both play a big role in protecting your business. By creating and promoting a security-oriented culture, you’re empowering employees to actively participate in the security conversation, safeguard sensitive data, and adopt good habits.
As Naya Moss, infosec pro and founder of Frauvis puts it, “I always shock people when I tell them the best tool you can have is a human-first mindset: treating your employees with respect and providing them with the right knowledge and software. […] It is important to view employees as internal customers.” (You can read more from Naya here).
Threat actors take advantage of organizations’ poor password management, nonexistent or disparate security policies, and other lax processes. These processes might increase your company’s risk of a hack or data breach:
- Unsecure password management practices, such as sharing passwords via email or storing them in spreadsheets
- Irregular or inconsistent patching and updates for software and devices
- Weak data privacy and access policies, such as lack of two-factor authentication or least privilege controls
Similar to people-driven risk factors, you can help prevent risks stemming from weak processes by adopting the right tools and better practices. The right tools are especially essential because you want to ensure your processes don’t hinder your employees’ productivity. For example, encouraging employees to use a password manager might mitigate the risks of a hack or data breach, so long as you make it simple for them to adopt this new tool:
Employees are not fond of remembering passwords. Yet only 15% use a password manager. Instead:
Many organizations put a lot of stock in their security technologies, adding more solutions as new threats arise. Too often, technology either takes a piecemeal approach to the problem, is too complex to manage by small IT teams, or creates so many hurdles for employees that they find ways to circumvent the safeguards.
For security technology to be effective, it needs to align well with the other two components—people and processes. It should be simple enough for both employees and admins to fully embrace, yet efficiently support robust processes.