IT AND CYBER

RISKS
HOW TO REDUCE THREATS AND
PREPARE YOUR ORGANIZATION
FOR THE UNKNOWN
 In the first six months of 2020, more than 27
billion records were exposed as a result of data
breaches. This figure exceeds the total number of
records exposed during all of 2019 by more than
12 billion records.*

Today, organizations in nearly every industry rely on

information technology to conduct business.

While modern technology provides many advantages, it

comes with certain threats that can put a company at risk.

Cyberattacks are expected and prevalent in our digital

world. We are no longer shocked to hear about a massive
data breach because they have become part of a new
normal.

Whether a breach is due to a malicious outside attack or a

simple employee error, leaders at organizations of all sizes
need to understand the risks to their operations and
reputation and do everything in their power to protect their
most valuable assets – their private information.

This eBook will cover several areas that leaders need to

consider around cybersecurity, including:

The fine line between IT and cybersecurity

Reasons to perform a cyber risk assessment, and five

steps to assess your risk

The ins and outs of incident response

Creating a culture of cyber awareness

*Risk Based Security 2020 Mid Year Report

Hartman Executive Advisors 2

THE FINE LINE
BETWEEN IT AND
CYBERSECURITY Cybersecurity is not
Cybersecurity might seem like a challenge reserved
something a small
for the IT team, but cyber is a business risk issue, not group can take care
an IT issue.
of independently,
Many of the steps to remediate issues are or something that
implemented by IT, and so a partnership with IT is
critical. But, from the outset, business leaders should should be delegated
approach cybersecurity like any other business risk – to the IT team.
with a clear, strategic process where the risk is
analyzed and a plan is designed for mitigation.
All employees at all
While an IT leader can certainly become a
cybersecurity expert with proper training and levels need to
experience, separating and defining the roles is key
understand the role
to long-term success.
they play in keeping
Organizations need to be vigilant about
the organization safe.
cybersecurity to protect not only their assets and
reputation, but the individuals and other companies
who rely on their operations.

Leaders who recognize the reality of a potential

breach can take steps to mitigate risks and stay
ahead of threats through proactive cyber risk
management.

Hartman Executive Advisors 3

 CYBER RISK
ASSESSMENTS WHAT ARE THEY?
DO YOU NEED ONE?

Cyber risk assessments offer three major benefits:

Help business leaders uncover "blind spots"

Lead to simplification of IT systems

Ensure data is safe and compliant

A cybersecurity risk assessment is used to identify an organization’s most important

devices and data and potential holes that could provide access to a secured system.
An assessment can also identify how vulnerable a business is as a target and what risks
could arise if secured data were to fall into the wrong hands.

Regular cybersecurity risk assessments should be a critical part of every

organization’s procedures. Used to determine the likelihood of a cyberattack against
a business, an assessment can also determine the impact an attack could have on
reputation, finances and overall business health.

As technology is continually changing and evolving, it's a best practice for companies to
undergo a cyber risk assessment at least once every two years, or more often if new
threats become prevalent.

Many business leaders use these assessments as a tool to make more informed
decisions regarding cybersecurity infrastructure. Cyber risk assessments can also
reduce wasted time and resources by eliminating the need to review misleading threats
based on non-quantifiable data.

Hartman Executive Advisors 4

 CYBER RISK
ASSESSMENTS KEY BENEFITS

UNCOVER BLIND SPOTS

Cybersecurity involves many components, many of which can be easily overlooked. Cyber risk
assessments are designed to give business leaders the data and resources they need to navigate the
potential risks and identify areas that were missed in the past.

Blind spots are relatively common in the cybersecurity industry. As technology continues to advance
at a rapid rate, it can be challenging for businesses to keep pace. Assessing the situation helps
ensure that business leaders are aware of hidden dangers so they can take the proper measures to
address them before it is too late.

SIMPLIFY IT SYSTEMS
Cyber risk assessments do much more than pinpoint potential threats to a business. They can also be
useful for simplifying IT systems and processes. By performing a cyber risk assessment, businesses gain the
resources they need to consolidate IT systems.

A simplified IT system is easier to use and draw data from, and can effectively store large amounts of
sensitive data. It is also easier for business leaders to review security controls for simplified systems. Once a
business has identified potential weaknesses and has a thorough understanding of threats, it’s important to
review and improve security controls. This essential step can help companies determine if preventative or
corrective controls need to be enhanced or modified.

KEEP DATA SAFE AND COMPLIANT

Cyber risk assessments can also address whether an organization is up-to-date and compliant with all
regulations for their industry. In any organization, there is a vast amount of information that needs to be
safely stored yet accessible as needed.

With quantified data from a cyber risk assessment, companies can develop better security policies to
protect their data and network while working toward compliance.

Hartman Executive Advisors 5

 CYBER RISK
ASSESSMENTS FIVE STEPS TO
ASSESS YOUR RISK

Step 1: Determine the Value of Information

Most organizations are not able to put unlimited funds towards cyber
risk management. Therefore, it is important to pinpoint the most
business-critical assets to save both time and money. When determining
value, consider the following:

• Possible financial or legal penalties associated with cyber risks

• The value of the information to competitors
• The ability to recreate the information if it was lost
• The impact of the loss on day-to-day operations
• How a cyber threat could affect revenue
• How much damage the IT threat would do to the business

Once you have the answers to these questions, it’s time to move to step
two.

Step 2: Identify and Prioritize Assets

To identify assets, an organization must first evaluate and determine the

scope of the cybersecurity risk assessment. Assessments should include
all buildings, employees, vehicles, office equipment and electronic data.

For each asset, gather information about hardware, software, data, IT

security policies and architecture, network topology, information flow,
and anything else that may be applicable. It's important to note that not
all assets have equal value. This step of the assessment will help you
prioritize accordingly.

Hartman Executive Advisors 6

 CYBER RISK
ASSESSMENTS FIVE STEPS TO
ASSESS YOUR RISK

Step 3: Identify Threats and Vulnerabilities

Threats include any type of vulnerability that could be exploited to

steal data or cause harm to an organization. Of course, IT security
threats are not the only type of risk that can affect a business. Other
common risks include system failure, natural disasters, human error
and adversarial threats from insiders, suppliers or third-party vendors.

An organization may also face unauthorized access from attackers or

malware, misuse of information by authorized users, loss of data, data
leaks or disruptions in service.

It’s also critical to determine what could happen to an organization if

vulnerabilities are exploited. Vulnerabilities refer to any weakness that
a threat to a business could exploit with intent to breach security, steal
sensitive data or harm an organization. When documenting these, it’s
also important to remember that there are physical vulnerabilities that
could affect an organization, such as the wrong person gaining access
to a keycard.

Step 4: Analyze Current Controls and Implement New

Controls

Every business has certain controls in place designed to minimize or

eliminate the chance of certain threats coming to light. Some of these
controls include physical locks, keycard access, security policies,
security software, hardware encryption or multi-factor authentication
methods. During a cybersecurity risk assessment, businesses should
take the time to analyze their current controls, determine how well
they're adhered to, and if necessary, implement new ones.

Hartman Executive Advisors 7

 CYBER RISK
ASSESSMENTS FIVE STEPS TO
ASSESS YOUR RISK

Step 5: Prioritize and Document Risks

An organization’s risks can change on a year-to-year basis. Therefore,

it is important for businesses to undergo risk assessments on a regular
basis to determine what risks are possible based on existing
conditions. Then leadership can prioritize risks based on their risk
level, whether high, medium or low.

Finally, once prioritized, it’s key to document the results of the

research performed in a comprehensive report. For each threat found,
the report should describe the risk in detail, as well as its value and
vulnerabilities. The document should also outline the impact and
likelihood of the threats, and any control recommendations. By
documenting business risks, businesses can better understand their
most valuable data and how they can best operate and secure their
organization.

Hartman Executive Advisors 8

THE INS AND OUTS OF
INCIDENT RESPONSE
Network security
incidents can happen
at any time and often,
unexpectedly.
Being prepared for
such events can help
minimize their effect
on ongoing work
performance and a
potential loss in
revenue.
Hartman Executive Advisors
According to the 2020 Cyber Resilient Organization Report
conducted by Ponemon Institute and sponsored by IBM Security,
74% of the organizations surveyed report that their incident
response plans are either ad-hoc, applied inconsistently or
nonexistent.
However, companies with formal cybersecurity incident
response plans were less likely to experience significant
disruption to their business following a cyber attack. Specifically,
39% of companies had a disruptive incident compared to 62%
of companies with inconsistent or lacking response plans.
So what is an incident response plan? It’s a set of instructions
that helps an organization detect, respond to, and recover from
network security incidents that could threaten their livelihood.
Although no action can completely safeguard any organization
from certain security incidents, an incident response plan helps
mitigate risks and prepares organizations to recover as quickly
as possible.
9
 INCIDENT
RESPONSE WHERE TO START?

ESTABLISH ROLES AND RESPONSIBILITIES

First, businesses must outline and establish roles and responsibilities for the incident response
team members. While these roles can differ slightly from business to business, most
organizations can benefit from having a comprehensive incident response team that has the
skills needed to manage all issues that may arise. Ideally, your team should have an incident
response manager, an IT leader, security analyst, threat researcher, corporate communications
expert, legal representative, risk management expert, human resources professional, C-level
executives and external security forensic experts. It is important to notify all team members of
their roles and responsibilities.

IMPLEMENT A BUSINESS CONTINUITY PLAN

As part of your incident response plan, your organization should have a business continuity plan
in place. Business continuity planning involves the prevention and recovery of potential
threats to a company. Having a business continuity plan helps ensure that all personnel and
assets are well protected and can be recovered in the event of a disaster. A solid business
continuity plan should include arrangements that help maintain a continuous supply of critical
products and services that allow a business to recover its data, assets and facility. The plan
should also identify resources that support business continuity, such as information, equipment
and legal counsel.

SUMMARIZE TOOLS, TECHNOLOGIES AND RESOURCES

Within your incident response plan, there should be a comprehensive list and summary of
technologies, tools and physical resources that may prove useful when responding to or
recovering from an incident. There are all types of tools that can be added to your plan, such as
netflow analyzers that look at traffic across border gateways in a network, or vulnerability
scanners which help isolate potential risk areas and assess the attack surface area of a business
for possible weaknesses. You may also choose to use other types of tools online, such as web
proxies that help control access to logs and websites to reduce threats that occur over HTTP.

Hartman Executive Advisors 10

 INCIDENT
RESPONSE ROUNDING OUT
YOUR PLAN

MAP OUT NETWORK AND DATA RECOVERY PROCESSES

Your incident response plan should also have a list of critical network and data recovery
processes. These processes are designed to restore and return affected devices and systems
back to the normal operating environment. It is important that these processes also allow you to
recover your devices and systems without the risk of leaving your business open to more data
breaches. To prevent extensive disruption to business activities, your incident response plan
should have processes that keep any downtime to a minimum. The plan should also state
specifics, such as how long to monitor the systems following a breach.

PLAN FOR INTERNAL AND EXTERNAL COMMUNICATION

The final key component of a detailed incident response team is how internal and external
communications will be handled. When cybersecurity incidents occur, you want to ensure that
the incident response team can adequately coordinate with a variety of internal and external
professionals. The exact details of what a company should communicate and when should be
kept flexible based on the unique details of the incident. However, it is important for a business
to determine who they will need to communicate with and be prepared for various types of
questions that may be asked. Having this information before an incident occurs can help ensure
that you are better equipped to handle the aftermath of a security breach.

IN SUMMARY:
Organizations need to be prepared to respond to both internal and external
stakeholders following a breach. A documented, flexible, incident response plan is
critical to this preparation, and may even be required depending on the industry.

As reputation is critical, the ability to quickly respond to a negative situation in a

competent manner is crucial, increasing the likelihood that operations can resume
without interruption.

Hartman Executive Advisors 11

 CREATING A CULTURE
OF CYBER AWARENESS

Phishing, the fraudulent practice of sending emails

pretending to be from reputable companies in order to One wrong click
steal personal information, is the biggest threat for
small organizations, accounting for over 30 percent of by a distracted
all data breaches in 2020.*
employee can
Most employees inherently want to do the right thing, but
are often untrained and unaware of how their actions can
wreak havoc on
affect the organization and potentially expose private an organization.
information and intellectual property.

Cybersecurity training is not just a box to check off, but rather, must become an ongoing and
mandatory part of an organization’s culture – and it has to start at the top to be most effective.
Leaders who recognize the value of ongoing cyber training can set an example for their entire
company and mitigate future negligence that can lead to a breach.

Comprehensive training includes regular and varied testing of the employee population with
simulated phishing attempts. The goal is to keep employees on their toes so they become used
to thinking twice before clicking a link or providing information. Close the testing loop each
time with a report that goes out to staff with the results of the test.

*Verizon Business 2020 Data Breach Investigations Report

Hartman Executive Advisors 12

Hartman Executive Advisors has extensive experience with working with organizations to assess their
cybersecurity risks, as well as to plan and implement solutions to address them. Our risk management
professionals will also determine which risk mitigations are most effective for your organization’s security
goals, while presenting sound options for management based on comprehensive cost/benefit analyses.
This can enable your executive management and board members to better fulfill their IT governance
roles while making high-ROI investments in your security infrastructure.

Hartman is fiercely independent. Unlike other firms that offer IT guidance, Hartman does not sell or profit
from any technology solution, so clients know the recommendations they receive are always in their best
interest. Hartman advisors are fellow executives who listen to concerns and keep confidences.

Contact us today to discuss your unique situation and potential options for cybersecurity risk
management. We will provide you with the data, tools and strategies to help minimize security threats
and safeguard your IT infrastructure.

contact us
www.hartmanadvisors.com
(410) 600-3200
inquiry@hartmanadvisors.com

Hartman Executive Advisors 12