Jeremy Tucci
Financial Services
April 2020
2 Min Read

Cybersecurity 101: Identify the Risks – Part One

The first place to begin with understanding cybersecurity and how it affects your business does not involve any technological expertise.  Security vendors and products exist by the hundred lauding protection and to a certain degree play on fear-mongering.  That is not to say they are wrong about risks, but the risks might not apply to your business.  There is no doubt that financial investments should be made to protect yourself, but the key is understanding where your focus should be aimed.

There is a simple exercise any business owner or management team can step through.  It involves looking inward and talking to several different key team members in some cases.  It is important to remain neutral and agnostic because at the end of the day this is simply fact-finding and information gathering.  There are no determinations or plans to be made yet.  Keep in mind these are risks to your business and not threats to your business.  There is a distinct difference that can be seen while reviewing three categories.

  1. Legal Risks: Begin by understanding if your business falls under any laws or regulations which includes compliance with regulatory bodies. This might require outside counsel.  The most prevalent to look out for are SEC or Gramm-Leach-Bliley Act for financial institutions, HIPAA for healthcare, or Sarbanes-Oxley Act for publicly traded companies. If you are accessing or storing personally identifiable information (PII) of customers then be on the lookout for states and countries of residence with stricter regulations such as California (CCPA), Massachusetts, and Europe (GDPR).
  2. Financial Risks: Accounts payables departments are almost a blanket risk since they can be wiring money daily. If someone you do business with is compromised, you could wind up wiring money for a fake invoice.  Something not often thought about is if there is a compromise to your business there might be financial losses incurred by legal fees or reparations.
  3. Operational Risks: This is the broadest category but can quite simply be thought of as what maintains your customer base. If you make products, then it would the mechanisms that produce them.  If you provide a service, then it is likely your reputation is on the line.  Also, keep in mind proprietary knowledge or information which might create or teardown competitive advantages.

Cybersecurity is used loosely, and it can be difficult to grasp how it applies to your business.  There are countless solutions available, but they only serve a purpose if they address the relevant concerns of the business.  By building your list of risks, you will avoid low-value products and services along with their associated costs.  You will instead have a clear view of the highest value targets.  In part 2, you will then rank these risks to assess the level of importance and starting point.