Curbing your Risk Appetite in the New Year

The holidays are behind us now, and many of us have made (and possibly broken) resolutions to reign in our appetites and make better decisions regarding our personal health and fitness. This New Year is also a great time to assess your company’s IT fitness, curb your “Risk Appetite,” and resolve to tighten up loose cyber security controls.

When you make your personal New Year’s resolutions, you set your goals for the New Year, assess your lifestyle and implement the necessary changes to meet your goals. The same pattern holds true when setting your goals for your company’s cyber security in 2021. A few simple changes can make a big difference.

How to set Cyber Security Goals:

  • Start by understanding your company’s Risk Appetite.
  • Next, assess your level of risk and compare it to your appetite.
  • Finally, make the necessary changes to reduce your exposure to cyber security risk and bring it in alignment with your true requirements.

What is Your Risk Appetite?
Simply stated, your Risk Appetite is the amount of exposure to cyber security threats your business is willing to accept in order to compete effectively or gain a competitive advantage within your market. Accepting zero risk is no more realistic than pledging to go on a zero calorie diet. A certain amount of Internet exposure is necessary to keep your business alive but your inherent risk is directly linked to the number of points that your IT systems make contact with the public Internet. The key is to eliminate unnecessary risk while recognizing and controlling the necessary links to the outside world.

Assess Your True Risk Level.
Look at all the ways you are using the Internet in your business and determine if they are all necessary to your business and that exposure falls within your level of Risk Appetite. Some examples of Internet exposure are:

  • Business use: Email, web access to hosted applications, marketing activities, social media, web site maintenance, web research, branch and core system communications, remote access to internal systems, email on mobile devices, etc.
  • Personal use: Shopping, personal email, social media, web browsing, guest Internet access, etc.

Look at each Internet access point critically. Does a particular workstation even need to access the Internet?

Go On A Risk Diet.
Finally, look at ways you can limit your risk to a necessary level by eliminating or isolating necessary exposure to the Internet. Good cyber security is best achieved by using the “least permissions” principal. This means permitting each individual and network resource access only to systems, programs and websites necessary to do their specific job. For smaller companies, where one individual may wear many hats, this may pose a challenge. It is important to take security concerns into account when making task assignments.

Use whitelisting for applications and websites. This means blocking all websites and applications except those that are explicitly required for business purposes using desktop and Internet firewalls. For those that need regular access to multiple Internet sites for marketing and research, establish a separate physical network with a separate Internet connection. Internet connections and workstations can be very inexpensive, and a wireless “guest” Internet connection easy to establish. The key is to keep web traffic on a different network than your vital business operations. Malware from the web can’t compromise security if it never touches the systems.

Start the New Year right and be honest when determining what Internet access is truly necessary for your company. It’s not necessary or desirable to go on a crash diet and eliminate Internet use entirely, but cut out the unnecessary risk and your cyber health will be much better for it.

About the Author: Mike Gilmore is RESULTS Technology’s Chief Technology Officer. He has 30 years’ experience and is a Certified Information Systems Auditor (CISA). As CTO, he focuses on assuring that the IT systems of RESULTS’ clients are aligned with their business goals. He can be reached at info@resultstechnology.com.