Cybersecurity risk in today’s business environment prompts you to ask the question; “is it possible to run a business today in such a way that it is truly safe from cyber criminals?”  Media headlines would make one think it is impossible.  In my own practice, we have helped clients recover from many varieties of cyber attacks including direct hacking and theft, ransomware and phishing attacks.  Targeted clients run the gamut from a very small ten-employee warehouse distribution firm, to a 50 employee professional services firm, to a 700+ employee manufacturing firm.

The adversary has only to be right one time to steal or extort information or money, while the firm’s cyber defenses need to be without fault.  To be sure, perfection is unattainable.  I’ve often described cybersecurity as a curved graph, with costs and inconvenience rising at an ever-increasing rate, making it impossible to achieve “total cybersecurity”.

Just as in many areas of business operation, business cybersecurity risk must be accepted.  How much cyber risk should be accepted?  This is a new question which is unfortunately a required part of standard business operations in the 21st century.  Our clients have always relied on us for guidance in navigating risk in business.  Such is the role of a trusted advisor.  Since our firm has provided IT consulting services for over twenty years, we thought it important to help our clients address their business cybersecurity risk.

Chortek has developed a cybersecurity assessment process based on an industry-agnostic framework of 98 controls.  This framework is the basis for a discussion of cyber risk tolerance, comparing current risk level present in the organization to the desired risk level in each of the controls.  The results of this risk assessment exercise yield a plan of highest impact, lowest cost actions that help bring risk down to acceptable levels.

Ask yourself:

What level of concern are you or your clients expressing about business cybersecurity risk?  Is action being taken to change business operations to dynamically address this changing business risk, or do hopes rest on IT people having the right controls in place?

Michael Senkbeil, CISSP, CISA
Partner at Chortek LLP