How well do you know your company’s security risks?
Running a business involves management of various risks the company may face. Beyond their day-to-day operations, all companies are exposed to potentially damaging events which can disrupt their business activities. These might include accidents, disasters, or major technology problems such as outages, cyberattacks, or data breaches.
“To effectively protect yourself from threats specific to your business, you must first understand what they are,” noted Alain Cormier, Executive Director for business development at NOVIPRO. “Therefore, the first step in any security enhancement process is assessing the potential risks.”
Identifying risks and their effects
What tangible impacts might a company face if it is attacked or if its data is stolen or lost? These impacts can be grouped into four broad categories:
- Compliance — Numerous industries are subject to strict standards imposed by law, regulatory policies, or a supervisory body. Indeed, the concern for compliance is often the key motivator for companies wishing to secure their data. “With the rapid evolution and sophistication of cyberthreats, compliance standards represent a very low bar,” noted Alain Cormier. “No company should consider itself secure simply because it has checked all the boxes on a compliance form.”
- Intellectual property — Know-how, manufacturing recipes, details of various projects in the design phase: today, all of these elements are saved as digital data. These are exclusive assets, and without them, a company stands to lose tremendous value.
- Reputation — On social media, clients’ concerns and disappointment can spread like wildfire, and a damaged reputation can rapidly escalate into a business issue. According to an IBM study of 27 Canadian corporations, organizations lost customers at a rate 2.4% higher than usual following a data breach.
- Revenue — Ultimately, what’s at stake is your business’ ability to generate revenue. Although the loss of intellectual property or reputation can cloud a company’s future, the damage caused by a data breach is often immediate. If their databases, application servers, networks or websites are inaccessible, many businesses will be instantly paralyzed and unable to respond to client requests.
Vulnerability due to partnerships
A company’s dependency is not limited to its internal resources. Today, most organizations use digital resources from remote or cloud providers. This external dependency also has a physical component: some companies must halt operations if they do not receive the goods or services they require.
Moreover, supply chains are becoming increasingly complex. Vendors use suppliers themselves, who are potentially vulnerable to their own risks. “To properly identify all of the company’s points of vulnerability, you must itemize all physical and digital services that support your activities, and then map the dependencies between these services,” Alain Cormier advised.
Is your business already protected?
It can be difficult to assess whether the systems the company has already deployed to protect itself against an adverse event are effective. To help Canadian corporate leaders gain a better understanding, Maxime Desbiens, BUE and Market Leader, Security for IBM Canada, brought them to the X-Force Command Center’s Cyber Range in Boston, an immersive simulation lab where visitors are thrown into a crisis situation.
“It’s an intense experience,” Maxime Desbiens noted. “When they go through it, many managers realize they’re not as prepared to deal with a cyberattack as they thought. They also understand that an effective response has to involve all of the company’s services and not just IT. In particular, the need for good communication – with employees, clients, vendors as well as authorities – becomes very clear.”
What level of protection do I need?
There are numerous threats and points of vulnerability within an organization. Absolute security does not exist, and setting up your defences comes at a cost. So how do you optimize the company’s security levels in light of the risks it considers significant? “Thanks to the statistics we have gathered through our global experiences, we can help a company benchmark itself against the average security level in its industry,” Maxime Desbiens explained. “Next, some strategic thinking is required - given the company’s specific situation and resources - to estimate its tolerance to various risks.”
This in-depth analysis of potential threats, assisted by security experts, will equip the company to identify ways to maintain its business activities, regardless of any potential trials and tribulations it may face.
Read the next article in our "Security, a corporate challenge" series: Security governance: an asset in countering cyberthreats