Starting a Cyber Risk Management Program: Mitigation & Risk Transfer (3 of 3)

Speaker 1: Okay. So this is the third and last video in this series where we're going to talk a little bit about mitigation and transferring of risk. So now you've done your assessment. You've looked at the jewelry store, you looked at your small business, you looked at your marketing agency. Now the real work can begin to bring your risk down. But let's think back to that jewelry store analogy. Let's say you came up with the following risks. Some employees leave the back door open when they leave for the night. Your second safe has the same code as the first safe. The window in the bathroom doesn't close all the way, even though you think the lock does work. You have no documentation on who has the safe codes or any procedures in place to switch the codes should an employee leave. You haven't looked at the nightly closing procedures for years. No idea if they're designed as they should be for all the new inventory you have since you took that Rolex contract. But now let's think about your business and let's think about these risks maybe from a cybersecurity area. Would your sales team click on every Starbucks gift card that comes their way? Does your finance team always open an invoice link or do they check the email that it came from first? How many breached emails do you think your team has and how many are using the same password for every account that they have? Are you running a WordPress site that has multiple vulnerabilities? Do you have an employee who hasn't updated their iOS in over a year on their phone? What are you seeing from your infrastructure, from your program and from your people? Now comes the iTime to formulate a plan of attack. This is when you'll quickly realize that random collection of tools does not make a comprehensive cybersecurity plan. First, what you need to do is prioritize the threats you found and start formulating a plan. What threats are you going to tackle this month? What threats are you going to tackle next quarter? You need to come up with a group of people who are responsible for ensuring that your risk is going down. And typically these are going to be your senior leaders in the organization, could be a board member or somebody like that. You want to meet with them on a regular basis, say quarterly, and review the progress being made. That's the only way you'd know that something's going to be done is if you continually meet and measure that. Prior to those meetings, you're going to want to go through the assessment process. Again, it's a rinse and repeat, because new attack vectors, new holes in security come out all the time. The systematic approach will make sure that the key team members know what's going on in terms of cyber risk in the organization, how to ensure that you're taking the right steps to make the business safer. Now it's time to talk through the last step of your cyber risk management plan. So once you've gone through all that, you've mitigated the risk that you're willing to mitigate, you need to make sure that you have insurance in place with the right coverages to protect your business. Secure for the known, insure for the unknown. So you can be that jewelry store that will have an insurance policy protecting the full value of those jewels in case of theft. You need to have the same type of cyber liability policy that protects your business and any liability you may have with cyber attacks. Expect in today's world to fill out a fairly lengthy questionnaire and have volatile market when it comes to renewals and coverages. But you're going to want to find a knowledgeable agent that can help make sure that you're getting the coverages you need to protect your business. Cyber risk and cyber threats aren't going anywhere. No matter what market you serve or who your customer are, you need to have the right protections in place.