Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you with us today. So continuing on from last week, we were talking about what we call the dirty 13, the 13 most common mistakes that honestly most companies make when looking at their information security program.
But really what we see when we're auditing CPA and other financial firms, 13 of the top issues, and a lot of these can actually lead to some pretty serious consequences, not just with the regulatory issue, but also just really major impacts to the business. So last week we dove into insufficient written information security policies, what that looks like, what that means, how to, some common tips, how to avoid that. And this week what we're going to dive into for a little bit is the next of the top 13 is insufficient risk analysis.
So one of the big things that we see with a lot of companies is that they either don't have a risk program in place or what we see even more is that they've got some sort of risk that they've calculated, some things that they've come up with, but it doesn't relate to the business at all. And if you ask them, how does this relate to the business? How did you come up with this? It's like a deer in headlights. They don't know because they just went by kind of a list that maybe they got online and put it in place, probably on the shelf right next to where they put that information security policy they never look at, and it just really doesn't serve the business.
So before jumping into that, always got to remind you, click on that, subscribe, click that, follow, send us some comments, let us know some things that you would like to talk about. And we are, we've been recording quite a few different business partners that will be getting all of those edited and put on here soon. So very excited for that.
If you would like to be on and talk about your business, the things you've gone through, we'd love to have you on. So getting into it, keeping a tally here, I think I'm at five or six so's so far this episode. I've been working on the um's, but they just seem to change to so's.
We're going to try and fix that. Stay tuned. And I'm focusing on not saying it.
The core risk management, what we see, one of the core requirements, not just of FTC safeguards rules, since we're talking about CPAs and financial firms, but practically every single standard, every single framework, every single regulation, they all want your information security program to be created with a risk based approach. And that's kind of vague. What does that mean? And what we see when we're doing a lot of audits is that companies will get a list of risk, say from online, and they'll just go down and they'll answer those high, medium, low.
And like I said before, when you really get to it, there's no connection to the business. There's no real way to talk through how this risk exercise helped us understand our risk in the business better. And that led to us making these decisions.
Really what you want to be able to show with your risk program, with your risk analysis, is we identified and assessed our risk, and based on that, we took these actions. Whether we decided to do something or not to do something, it should really be all based on that risk analysis, to where we're looking at, we've got a huge risk over here, we're going to put controls in place to try and mitigate or avoid that, or it's not that big of a risk to us, we're just going to accept it and move forward, which typically is perfectly okay. You just want to be able to back that up with really a logical explanation.
And I guess a good way to think about it is if you were going to sit in a court of law or you're going to sit in front of all of your investors, all of the people putting money into the business, could you have an educated conversation? Could you have a conversation to where it would be acceptable, yeah, that's believable, or can you quickly see it in your mind just falling apart that you'd be rambling and not really know what you're talking about? The latter there is what you want to avoid. So, number seven, we've talked about it in other episodes, if you actually go back quite a bit, I think we did like two or three very deep into risk management, so we're not going to get that deep because, like I said on our previous episode, trying to start keeping these smaller a little bit easier to digest, but I do want to give some ways that you can really ramp up your risk assessment process without a whole lot of steps. So, a few ways that we're going to look at this is we want to assess impact, how much of an impact, how devastating would this be to us financially, reputation, whatever, and what's the likelihood? How likely is this to happen? And there are far more ways that this can be calculated, that this can be assessed than we can get into here.
You can go a very ordinal scale, high, medium, low. You can do what we do a lot in starting with clients is kind of a five-tier, low, low-medium, medium, medium-high, and very high. And that can tie into a likelihood score to give us an overall risk score so that we can start to see what you call, you could put those on a heat map, where we could start to see where our risks are with the business.
That's still very basic. Where you eventually ultimately want to get to is being able to tie it to dollars and cents, tie it to actual amount of time that the business isn't operating, tie it to some numbers as far as what does it look like as far as retention impacts, which an interesting little fact is I believe according to the Verizon data breach study is after a data breach, there is at least a 3.9% negative impact to client retention. So definitely something there that can be a little bit harder to quantify.
So what we'll look at today is just doing a basic, high, medium, or low, or the five steps, however you want to do that. And what I would say start with is look at, we've talked about this before, not the CIA triad, but CIAPS. We're going to look at confidentiality, integrity, availability, privacy, and safety issues.
And at a very high level, this is a good exercise more at top leadership level, we're looking at confidentiality, how big of an impact would it be to us, to our company, if our data got out? We're not looking at client data, that's a privacy issue, but just our information or our vendor's information that isn't PII or PHI. What type of impact would that have for us? Internally here, it would definitely be egg on our face. We would have some things out in the open, but ultimately our data isn't any type of trade secret.
It's honestly, the majority of what we have is freely shared anyway. So internally, it would be perhaps some financial data, some things that we would prefer not to get out, but it wouldn't be devastating to us. Other companies can't say the same thing.
But look at, as far as our data, confidentiality thing, if the wrong people got their hands on it, what would that mean for us? Give that a score. High, medium, low, the five point scale, whatever you want to do. The next one we'll look at is integrity.
And the way we'll look at that is, if our data was altered in ways that we weren't expecting, how big of an impact would that be to us? In a lot of companies, a lot of risk analysts overlook this, but a way to look at it in a lot of companies is, in some ways, this wouldn't be too big of an issue, especially if your confidentiality impact is typically low, you don't have very serious data. If it's altered, that sucks, but not a big impact. Where it can be a major impact, however, is let's say with a medical firm.
The results of a medical test are altered before they get to a patient or before they get to another physician. That could be major. Another area that could have a big impact is CPA firms.
The tax data, the financial recording data, things that we have saved for our clients or that we're inputting are altered either before they go to the IRS, which would be horrible, or they're corrupted, altered, changed in some way in our backups that if we ever have to look back at those, the data's not going to match up. There are definitely areas that integrity can have a big impact, and you want to look at what would it mean for our business if the data was altered in ways we weren't expecting. The next one is availability, and this just comes down to do we have access to our systems, our data, our resources, people or whatever? Do we have access to those when we need them and at the level that we need them? And how big of an impact would it be to us if we didn't? Again, as an example internally, if we're offline for one, two, three, four days, we're looking at more egg on our face.
It's a cybersecurity company, a compliance company having a cyber event. That doesn't look great, to be honest. But for the most part, we can easily recover.
We can operate in other ways. We can make things happen. If you're a CPA firm at tax time, that could be catastrophic.
If you're a high-volume retailer, that could be catastrophic. So availability can impact companies in multiple ways, and we want to look at if we didn't have access to what we needed at all or at the level we needed it, how big of an impact would that be? Next one is privacy, and we talked about it before. It's a lot like confidentiality except that this is where we can identify a data subject.
Could we identify an actual person, an individual from a set of data? And easiest way to put this is our PII, our PHI, our protected financial information, is any of that exposed to unauthorized parties? And if so, what type of impact would that be? Easy math here, according to the IBM data breach statistics, is that's anywhere between about $150 to $185 per record. So if you have 1,000 records, $185,000 of potential exposure is a real easy way to look at that. And even if you're not putting a dollar value there, can help you better quantify your qualitative scale? Is this a little tiny issue or something major? Final one is safety.
It's overlooked a lot, but especially now with how co-mingled IT systems are with operational systems, it's something that you should not overlook. And this is just looking at any type of safety issues. One that I always throw out there is with so many people moving to voiceover IP phone solutions, make sure that any of your critical systems, fire alarm systems, elevators, that they still have the required POTS lines so that you don't create a safety issue.
Because God forbid something happens, you can't get a call out, that can be pretty serious. This is also looking at any type of fire extinguishers, exits, so on and so forth, all types of different safety considerations there. But look at that from both an internal associate perspective and also any safety issues for clients or people that are on premises.
That can lead to pretty serious legal issues. Great to talk to a personal injury attorney who can give you a lot more information than we can here. But those are really good to include in your risk assessment.
Confidentiality, integrity, availability, privacy, and safety. So from that high level, we can further break that up. We can further start looking at our different risk.
Again, from the CIAPS level that we are just looking at and do a PESTEL analysis. So we can look at all the different political, economic, social, technological, legal, and environmental issues. The technological here is one that companies primarily focus on.
They don't consider all of the others except perhaps for typically environmental when looking at continuity plans, disaster recovery plans. But we want to at least quickly consider all the different political issues. Could some regulations change? Could new laws be put into place that would impact our ability to operate properly? Are there any social issues? Do we need to make sure that we have social media policies in place to make sure our employees don't post something that ends up getting us canceled? Or any legal issues.
If we have a safety issue and a personal injury attorney gets involved, that can be a pretty serious issue. Also, if we don't have appropriate policies and procedures, if we don't have a robust enough risk assessment process or information security program, that can lead to regulatory fines. That can lead to other type of legal issues.
So even here, just with these, I don't want to say small little areas, but these small considerations. This can take us from just having a few risks on a page with a high, medium, and low score that don't really relate to a point to where we can have an educated conversation about how the risks that we have on our sheet that we've identified actually relate to our business. And some of the different ways that that allowed us to make the decisions that we made, the controls that we put into place, any type of restructuring that we did.
And that's really all the risk management process is about. There is so much more to it. And we've talked about, we've scratched the surface in some of our earlier episodes, and we'll continue to talk about risk management, because it's really the foundation of everything here.
But again, this can help you start to marry that to where it's not just a check-the-box solution or check-the-box exercise, in more of a supporting process, an activity that can help you better protect and better develop your business. That's all I have today. Thanks for listening to us here on Cash in the Cyber Sheets. Talk to you next week.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.