Turkeys don’t worry about Christmas

[Reading time: 3 minutes]

Is cybersecurity risk on your radar?

Most businesses have heard of cybersecurity attacks through the media but they may not be actively identifying the cybersecurity risks that they are exposed to, or actively mitigating these risks.

Why does this happen?

Risk is not just about likelihood.

When we think about “risk”, we tend to focus on the likelihood of something happening.

And when assessing the likelihood, we use past experience as a guide for the likelihood of the event occurring in the future.

Everything has worked fine up to now, so it will be fine into the future.

If we have not experienced any kind of cybersecurity event in the previous 100 days (or 10 years), we assume that we will have a similar experience into the future.

We can be like a turkey at Halloween, assessing the ‘risk’ of Christmas as low because we’ve had more than 300 days of a good life.

And if we believe the likelihood is low, we interpret this as meaning the risk is low.

Risk is also about impact

You may feel that the likelihood of a cybersecurity attack is low.

But it is probably not as low as you think.

And the likelihood is certainly not zero.

Even if you think an attack is unlikely to happen, make sure you think about the impact if it did happen.

Risk = Likelihood x Impact

Risk is more than just likelihood. It’s also about impact.

It’s when we think about the ‘impact’ of a cybersecurity attack that we start to pay attention.

What’s the impact if the business:

• loses access to its file shares for 3 days?
• loses €30k because it has paid money into a criminal’s account?
• has to spend weeks assessing how much personal data was in an email account which was accessed by an unauthorised individual?
• has to inform clients that their data was disclosed?

When we see that the impact of an event could be catastrophic (even if the likelihood of its occurrence is low), we will work hard to reduce both the likelihood and the impact of the event.

Only then can we say we are truly managing the risks.

Two things to consider about your cybersecurity risk management:

1. What are you doing to minimise the likelihood of an unauthorised login to a key system (e.g. email / file shares / CRM / ERP / Accounting)?
   
   [Red flag: An answer that assumes Microsoft or another cloud provider won’t have a failure] 
2. What are you doing to minimise the impact of such an incident?
   
   [Red flag: An answer that mentions backups but doesn’t mention a recent successful test of those backups]