4 min read
Master Risk Control: Pick a Cybersecurity Risk Management Strategy
Jason Ingalls Mar 6, 2019 9:16:00 AM
In our kick-off article for this 8-point guide, we'll begin by discussing most important decision a business can make regarding cybersecurity risk management; determining their cybersecurity risk management strategy.
According to the National Cyber Security Alliance, 60% of small businesses that are hacked go out of business2. This is a sobering number that demands a reconsidered approach to cybersecurity risk management by MSPs who perform IT services for the SMB market. The first step in deciding how to manage the risk of using technology is to get SMB owners and executives to think about how much impact a successful cyberattack would have on business operations. We recommend starting with two important questions:
- If business operations were idled for a one-two week period due to a cybersecurity incident, could the business survive?
- If the business had to explain to regulators, clients, or third-party vendors or partners how it got hacked, could it survive, or would it lead to business failure and shut down?
If the answer to either of these two questions is NO, then the business cannot afford to get hacked and must develop a proactive strategy to minimize cybersecurity risk as well as the time necessary to respond and resolve successful attacks.
If the answer to both questions is YES, then the business should consider a less costly, responsive strategy that relies on an effective insurance policy and a qualified response firm to resolve any data breach that occurs.
In our considerable experience performing Incident Response for both Large and Small/Midsize businesses, the average time to resolve a ransomware attack is 1-2 weeks, regardless of whether or not the organization pays the ransom or restores from backup. Additionally, organizations like professional services firms (e.g. CPA firms, Law Firms, doctor's offices and hospitals) have been shuttered over disclosing a breach, regardless of whether they had cybersecurity insurance or not. Ransomware is by no means the only kind of incident that organizations will suffer during a breach; however, it's a good baseline example of the kind of disruption that breaches can cause.
We recommend that MSPs have a frank conversation with their SMB clients about cybersecurity and start with these two critical questions to develop a sound overall strategy. Let's explore the pros and cons of each option.
Responsive Strategy Pros and Cons
Buying a Cybersecurity insurance policy and engaging an Incident Response retainer with a qualified vendor is a great way to ensure that the bases are covered in the event of a cyberattack. This means that the business can rely on insurance to make sure that the financial strain of being hacked will be covered, and when a breach is discovered, an incident response firm will be there to investigate and help resolve the issue.
The problems with a responsive approach are pretty simple; nothing is being done to minimize the likelihood that a breach will occur, and there is very little that a responsive strategy will do to minimize the impact of a breach. These factors have a tremendous impact on the overall cost to the victim in terms of time to resolve, overall cost, brand impact, and regulatory and compliance exposure. Again, if these problems appear insurmountable when thinking about how the business will fare if the worst happens, then it may be that a proactive approach is something the business can't live without.
Proactive Strategy Pros and Cons
Proactively managing cybersecurity risk in today's threat landscape requires much more than firewalls, patch management, and endpoint protection for laptops, workstations, and servers. Social engineering awareness, vulnerability assessments, inventory and asset discovery, network and endpoint monitoring, a Security Operations Center filled with experts, and a process that is audited to ensure its followed are all part of an effective, proactive strategy. Proactive management extends beyond covering the bases that a responsive posture is intended to provide, although it should also include an effective cybersecurity insurance policy and a breach response retainer.
Managed Detection & Response (MDR) service providers offer a proactive solution that bundles technical risk management technology, a mature service delivery process, and the cybersecurity human talent necessary to effectively manage cybersecurity risk. Many MDR service providers include breach response retainers, and partner with cybersecurity insurance providers that use their incident response services for insurance claims.
The significant downside of a proactive strategy is cost. MDR services are designed to reduce what an organization would pay to build, operate and maintain all of the advanced cybersecurity risk management services; however, MDR is still more expensive than basic anti-virus, firewall, and patch management. Business can expect to pay up to three times as much for MDR services as they pay for basic security; however, MDR can provide those services at a fraction (less than half) of the cost of employee salary, tool costs, and maintenance of data storage, if the business is attempting to build and maintain this capability in-house.
The major upsides to MDR services for proactive strategy are that the likelihood of a breach and the time to recovery if a breach does occur is reduced dramatically. These two factors are critical to the amount of impact that an organization experiences when dealing with cybersecurity risk. Studies show that organizations who have a modern risk management capability have much less likelihood of occurrence for data breach3.
In summary, it's important to start with a strategy discussion that is frank and covers the serious questions of whether a business can survive the impact of a breach, and how to ensure it does by picking the right strategy to manage cybersecurity risk. Regardless of which strategy works best for each client, MSPs should partner with a specialized cybersecurity firm to deliver either an Incident Response Retainer or a retainer included in a Managed Detection Response service. If you represent an MSP looking to partner with a Managed Detection & Response provider, contact Ingalls today to begin your partnership discussion!
Join us next week when we discuss how to develop a plan for cyber emergencies and how to produce an Incident Response plan! Thanks for reading!
This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free!