Cyber Risk Management

Cyber risks are everywhere. Mitigate risk to protect your company.

Information Technology is a critical component of all modern business. And the technology behind it is constantly evolving and changing. Unfortunately, this means that the risks are constantly evolving and changing as well. Christensen Group can help you prepare for and transfer these morphing risks. Here are best practices.

CYBER RISK 
MANAGEMENT CONSIDERATIONS

01

Build a company culture

The first thing to consider when you are planning your organization's cybersecurity risk management program is your company's culture. Building a company culture should be throughout the entire organization, from the part-time staff up to the executive suite.

Employee training is necessary to spread and encourage security awareness culture as well as to ensure all employees know how to use the cybersecurity systems and tools you plan to implement.

02

Distribute Responsibility

The burden for maintaining cybersecurity cannot rest exclusively on the IT or security departments. Every employee in the organization needs to be aware of potential risks and be responsible for security breaches.

To guard against these human-related intrusions, employees need the right tools and training to recognize malware, phishing emails and other social engineering attacks.

03

Train Employees

To implement your cybersecurity plan, you need to fully train staff at all levels on the identified risks and on the procedures and systems designed to mitigate those risks.

04

Share Information

Putting cybersecurity in a silo will result in failure. Information about cybersecurity risk must be shared across all departments and at all levels. You need to make it clear to all appropriate parties the potential business impact of relevant cyber risks—and then keep them aware and involved in ongoing activities.

05

Implement a Cybersecurity Framework

It is important to implement the appropriate cybersecurity framework for your company. This is typically dictated by the standards adopted by your industry. In this regard, the most frequently adopted cybersecurity frameworks are:

  • PCC DSS
  • ISO 27001/27002
  • CIS Critical Security Controls
  • NIST Framework for Improving Critical Infrastructure Security
06

Prioritize Cybersecurity Risks

Remember, you do not have an infinite number of staff or an unlimited budget. Put simply, you cannot protect against all possible cyber risks. Consequently, you need to prioritize risks in terms of both probability and the level of impact, and then prioritize your security preparations accordingly.

07

Encourage Diverse Views

Too often cybersecurity staff and management view risks from a single viewpoint, often based on personal experience or company history. But cyber criminals seldom share this same viewpoint; malicious actors are more likely to think"outside the box" and identify weak points in your system that you haven't seen before or even considered. For this reason, it's useful to encourage team members to think of and argue different points of view. This sort of diversity in thinking will help you identify more risks and more possible solutions.

08

Emphasize Speed

The burden for maintaining cybersecurity cannot rest exclusively on the IT or security departments. Every employee in the organization needs to be aware of potential risks and be responsible for security breaches.

To guard against these human-related intrusions, employees need the right tools and training to recognize malware, phishing emails and other social engineering attacks.

09

Conduct a Risk Assessment

Risk assessment is an important part of any cybersecurity risk management plan. You need to:

  • Identify all your company's digital assets, including all stored data and intellectual property
  • Identify all potential cyber threats, both external (hacking, attacks, ransomware, etc.) and internal(accidental file deletion, data theft, malicious current or former employees, etc.)
  • Identify the impact (financial and otherwise) if any of your assets were to be stolen or damaged
  • Rank the likelihood of each potential risk occurring
10

Develop a Cyber Incident Response Plan

Finally, you need to develop an incident response plan, focusing on the priority of risks you've previously identified.You need to know what you need to do when a threat is detected—and who needs to do it. This plan should be codified so that even if an incident occurs after you've personally left the company, the team currently in place will have a roadmap for how to respond.

Christensen Group is here to answer all of your insurance questions.