Enterprise Risk Management

ERM – Not Just for the Big Boys Series Cybersecurity Considerations – Succeeding Inside the Box

Article reading time: 4 minutes

Hot Take:

Hot Take

We continue with our ERM series of articles entitled Not Just for Big Boys. In this series, we explore the shift in risk management concepts once consigned primarily to larger organizations.  We see shifting in the current business culture now encompassing the mainstream community of small to medium-sized enterprises. Regulators and rating agencies are adjusting their risk analysis concentrations toward all entities, not just the large groups.  In making these transitional observations, our goal is to bring logical and cost-effective ERM planning considerations to the small and medium-sized business community.

Full Article

I once had a gifted mentor that was prolific in his sage advice. He provided insight on efficiency and planning. He told me he had heard and was not taken by, the over-used cliché you have to think outside the box. He further guided me to not reason with the herd. He then confidently added that True creativity is succeeding within the box.  Hence the title of this article, and its application to the small-to-medium company in using the resources you have at hand, for the most part, without having to spend or incur substantial external implementation costs.

Ironically, so many companies concentrate on vulnerabilities in their technology platform by investing heavily in technology to stave off outside subversive threats, yet studies and results indicate that internal threats (e.g., the employee base) account for over 50% of cyber breaches (source = Willis Towers Watson or “WTW”).  Couple this observation with the finding that companies devote minimal cybersecurity resources towards the education and training of the internal employee base, and the logic does not seem to make much sense.  We mentioned in our last Big Boy Series article that a company is only as secure as its weakest link – ditto this scenario – the lone employee that inadvertently clicks that e-mail and opens up the entire company’s systems to an intruder.

So, how does a company go about assessing its internal vulnerabilities in a realistic yet cost-effective way?  Astute companies, big and small, are beginning to take heed, moving from innocuous, mildly-viewed questionnaires or annual corporate cybersecurity training to performing actual hacking simulations.  Attack simulations using phish enticements sent to a random employee base have proven highly successful in educating employees and reducing induced click rates from as much as 40% to less than 10% (WTW).  That is still too high, but much improved, and shows the hands-on process works well. It also gets the employee base attentive to knowing they may be tested at any point in time.  So, they stay on their toes.  It’s allegorical to controlling speeding on the roads.  What works better, a sign on the side of the road telling you to slow down or speed bumps?

To further reduce internal vulnerability, companies are implementing simple, cost-effective methodologies, and you can too.  Moreover, you don’t need sophisticated AI software to do it, either.  Garnering heightened employee engagement is the secret weapon in defeating cyber intrusion.  Current logic toward gaining this “heightened interest” has had success through the introduction of intuitive training mechanisms that take advantage of the fast-paced, socially connected environment.  Microlearning has shown great promise as an alternative to the standard, corporate annual, or periodic half-hour training classes.  Microlearning is a quick-learning process providing intermittent short blasts of information for employees to quickly read or review without being extensively distracted and continue with their regular duties.  These can be in the form of quick reading, or better, short animated learning modules.  Tailoring cyber educational content to generational distinctions is another simple approach to sustaining that heightened interest.

More sweeping considerations to closing those internal vulnerabilities may involve a serious discussion by your management in the use of hardware such as removable memory devices including USB sticks, SD cards, and flash drives.  These items are so convenient and handy but easily abused by complacency.  A recent discussion from BBC news noted that the IBM global chief security officer had placed a firm-wide moratorium on the use of the devices.  Quite a disruptive exploit and thought to be an overreaction by some.  However, when you think about human complacency, and the susceptibility of plugging in a device that could immediately introduce a hidden malignant issue into the company environment, one can see the other side of the reasoning behind this difficult decision.

Small companies have more significant cybersecurity risks just by the logical nature of size and resources.  We will talk more about this in future articles as the ERM – not Just for the Big Boys series continues.

So, what’s the take-away?

This article, as a continuing series, hopes to provide guidance to the small to medium-sized companies that ERM can be structured and implemented using a cost-efficient approach.  We repeat to our clients, future clients, and colleagues; these risk-management concepts are not just for the big boys.  You just have to make that first step and start a discussion.  If you are a going concern, regardless of size and complexity, keep the concepts presented within this series in your ERM planning inventory.  We can step in and work with you, using our 3D approach to establish an ERM platform.  3D – an ongoing client-assist program to support management in discussing, designing, and documenting the ERM platform, with the further goal of maintaining it as a living program from which you grow.