author photo
By SecureWorld News Team
Tue | Aug 24, 2021 | 2:44 PM PDT

What is the difference between a day at the beach and managing a cyber risk assessment plan? According to Dave Schmoeller, Director of Solutions for Reciprocity, there are a few notable similarities between the two.

"Thinking about a day at the beach, I could get sunburned, I may drown, I even could get stung—or I could simply have a great day at the beach. Those are all possibilities. They haven't happened yet, but they're possibilities.

Risk is not what happens or occurs after that risk materializes. I have a risk of getting sunburned, but just because I am at the beach does not mean I'm going to get sunburned.… What's the best use of your limited resources that require some analysis?"

SecureWorld recently presented the webinar, Cyber Risk: Stay Ahead of Evolving Threats with Proactive Collaboration, with speakers representing Reciprocity, a leader in Governance, Risk, and Compliance (GRC) software. Schmoeller and Jessica Gray, GRC Expert, both offered crucial take-aways on creating and managing a cyber risk assessment plan, whether you are still in the planning phases, building out your plan, or if you have implemented a mature system (defined by Gray as enduring a 24-month period without any incidents).

In this webinar, Schmoeller and Gray shared their insights and tips for businesses from all industries to understand what cyber risk is, as well as best practices for creating a risk management plan from a GRC standpoint. The speakers also delved into notable topics about what risk is, what it is not, and how to analyze potential risks.

A data-driven world and navigating it 

Gray cited many of the major hacking incidents in the past few months, including Colonial Pipeline and T-Mobile, as evidence that the threats continue to evolve. This is happening at the same time as massive digital transformation. 

"Data is going to be driving everything in terms of technology, so I was interested in the data itself and protecting the data…. Everything is moving to the cloud and we're more data conscious.

Everything in technology is driven with being able to send money through your phone now as opposed to doing everything in person, and then COVID really accelerated that even more, doing everything from going to the doctor to ordering food, groceries, everything."

With more business completed online and more data gathered, there is a greater demand from both internal operations and consumers to manage data in a responsible way.

Who creates the biggest threat of data breaches within an organization? Of course, there are risks from outside hackers, but many of the threats come from within an organization—like the urban myth of the babysitter receiving threatening calls from within the house.

Many times, breaches can happen due to users leaking information or even not having a set of expectations when using specific software or servers from within their own organization.

Depending on a professional's industry, there may or may not be accepted risks that are a part of day-to-day business. Gray and Schmoeller touched on different examples of what is acceptable risk and how that relates to assessing for cyber insecurities.

What are the best ways to build a risk management plan?

There is no getting around it: the best way to start is to start right now, according to Gray. Just a few ways to get a new risk management plan off the ground include the following steps:

  • Identify the problem areas by running a risk assessment. If your organization does not have a way to assess risk, find the education necessary to start a routine process.
  • Educate the team on their roles. For instance, Gray noted the needs for an IT professional might look completely different from an end-user with limited authorization.
  • Take the steps to build out a plan with input from professionals, or build a training module for employees to be updated on a consistent basis.

This discussion also focused on other topics, such as risk analysis and risk treatment, as well as how GRC tools can benefit users at all levels of an organization.

If you missed the livestream of the webinar, it is now available on demand.

Be sure to register for the upcoming webinars presented by SecureWorld. Proof of attendance may be used to earn continuing professional education (CPE) credits. Certificates can be downloaded after you attend. Check in with your certifying body for eligibility. 

Comments