In this article, we will focus on five risk factors related to cybersecurity and five corresponding ways to minimize the risk of a cyber-attack.Part I – Five Risk Factors
Blindly believing that cybersecurity is not a concern can be problematic as it may condition management into not investigating whether there are any real concerns. According to the 2015 ISACA survey, only 46% of professionals expect a cyber-attack to strike their organization in the coming year, although a staggering 86% of professionals believe that it is one of the biggest threats that their organization is facing. Hence, there is a great discrepancy between how many professionals see cyber-attacks as a threat and how many actually think it will happen to their organization.
In order to determine if cybersecurity risks should be a concern, the management of a business should consider the three fundamental functions of cybersecurity, namely: confidentiality, integrity and availability.
- Confidentiality: This refers to important or sensitive information that a business wants to keep confidential and private and to which only certain people or systems should be given access to. Does the business keep electronic copies of contracts, call for tenders, bids, lists of employees, credit card numbers, personal identifiable information and so forth? Or, more generally, does the business have any electronic information that stakeholders would not want to be disclosed to the public?
- Integrity: This refers to the integrity of the business’ systems and its consistency and trustworthiness over time to keep information assets complete, intact and uncorrupted. Are the IT systems secure? Does the business use different types of identification methods (biometry or security tokens, for example)? Do its employees have access to their e-mails on their phones or remote access to their computers? Does management have absolute confidence in the integrity of their systems at all times?
- Availability: This relates to the importance of having all IT systems available for the continued operation of the business. Can the business operate without access to Internet or e-mails for a few hours, a day, two days or a week? Can the business operate without access to the information stored on its hardware? How long can the business continue to operate if it lost control of its cyber infrastructure?
If there are any concerns regarding any of the above functions, the management of a business should consider cybersecurity as a risk to be discussed with its legal and cybersecurity professionals. MORE