n terms of cyber security, what do we mean by quantifying value at risk? Well simply put it’s all about defining the value of your information and assets, that may be at risk from exploitation by a cybercriminal, or indeed, by an inadvertent mistake from a member of staff, not to mention disgruntled staff members, although I’m sure your management style would ensure that no staff could possibly become disgruntled!
Today, the media perpetuates and often sensationalises the issues that all business face in regard to cyber security and data protection. They often focus on the lack of cyber security measures taken by individual businesses, on technical solutions, which in themselves can bring with them vulnerabilities, and the added administrative overhead and cost.
The fundamental issue is appreciating that what you are protecting is information and that you need to implement appropriate, affordable and accreditable security controls. This starts with understanding the value of your information to the business. More importantly perhaps, the impact on your business should that information be lost, stolen or compromised in some way.
Affordable – there are a plethora of technical controls available on the market, essentially products that I’m sure you are bombarded with information about. If you do not understand the value at risk to the business, both the financial and management costs associated with these technical controls can be totally over the top and unnecessary. These costs must align with the ‘value at risk’.
Appropriate – Selection of appropriate controls to protect you information assets is difficult and is generally a blend of both technical and non-technical controls. Processes and procedures which define how sensitive transactions and information are handled is as much a part of a cyber security strategy as the implementation of technical controls. This is something largely overlooked by the majority of SMEs.
Accreditable – Increasingly businesses are finding that security standards such as ISO 27001 or Cyber Essentials are being demanded by their customers and business partners. For many SMEs, ISO27001 might be considered over the top and too expensive to undertake, whereas Cyber Essentials, introduced by the Government and mandated for doing business with Government, is relatively easy and cheap to undertake.
So how do you get this understanding of ‘value at risk’? H2 offers a risk assessment and business impact analysis to help businesses formulate and develop an in depth understanding of the valued information and assets, the impact on the business should it be compromised and how to select and implement the appropriate, affordable and accreditable controls that may be necessary.
For more information check out our risk assessment service.