Starting a Cyber Risk Management Program: The Basics (1 of 3)

Speaker 1: Hi. In this section of the course, what we're going to cover today, how you stand up a true cyber risk management process, no matter where you are in your cyber security practice today. Now, before we get to how to stand up as true cyber risk program I want to think through a few stats here. Okay. Now some of these are a little scary, this is what's going on in the world. According to the Security Magazine since February of 2020 there's been a 600% increase in phishing attacks. 60% percent of businesses have experienced a cyber related security event. 45% of the attacks that we're seeing have been against small, medium size businesses. One report showed that over 80% of small, medium sized businesses did not carry cyber liability insurance. And this is the one that's a little bit of a whopper, and I've seen some other data out there but this is kind of in the middle of kind of what people think a cost of breach is, but IBM is saying cost of a data breach right now, the average data breach for a small business, is almost$ 3 million. Which in other words is saying they put small businesses out of business if they have a data breach. So what do these mean? So cyber risk is an issue for all businesses and it's a growing problem. But when we think about cyber risk management and how to stand up a program, you're taking a inaudible class here. So getting better, understanding around your compliance around your security, it's no different to think about cyber risk management than any other risk management framework, really. Which means that there are kind of three main components that you have to think through. You have to assess, you have to mitigate, and you have to transfer. From an assessment standpoint You need to understand where you are today, what are the risks that you have and how do you rate the different risks and severity? You have to come up with a plan for mitigating those risks. What comes first? Why? What comes second? Et cetera. This process of going through assessing will then help you come through how do you mitigate those risks? And then you'll be a good place once you've done that to be secure for the known right, to be secure for what we know about. But no matter what you do in step one and in step two, you are always going to have residual risk. For most organizations, there's a limit to the amount of time and money that they're willing to invest in their cybersecurity. But even if you had unlimited resources to invest, you'd never be able to cover all risks because it's a ever changing landscape, new risks are always identified and you'd always be a little bit behind that eight ball. So, that's when you bring in cyber liability insurance to make sure that you're protecting against the unknown. So in this section of the course we're going to think through how to think about the assessment of your cyber risk, mitigation of that risk and the transferring of that risk.