When you go for a hike at the Glacier National Park, in the state of Montana, you run the risk of having an encounter with an apex predator, the grizzly bear. The thought of coming face to face with a grizzly bear is frightening, yet thousands of people visit the Glacier National Park every year. Humans have learned that we can venture into the homes of grizzly bears and safely if we take certain precautions.
If you want to hike in the Glacier National Park, you need to start by thinking ahead and being prepared. This includes bringing the right equipment with you, doing your research about safety precautions at the park, and understanding the various risks that you might face, such as animal encounters, extreme weather, or other natural occurrences.
Once you’ve made these initial preparations, you still want to make sure you’re secure while at the park. This includes measures such staying on the recommended trails and established camping areas; making sure food is secured and sealed away so you don’t attract the attention of unwanted visitors, and not bothering the wildlife, even though you just want to get one picture. Often times, a “just this once” situation is a risk you shouldn’t take.
Assuming you’ve done all of the preparation and followed all of the safety guidelines, there’s still a chance you’ll encounter that grizzly bear, and if you do, you want to make sure you’ve got another level of protection in bear spray. This aerosol pepper derivative creates a temporary incapacitating discomfort for grizzly bears if sprayed into their face and in most cases will allow the hiker to avoid being attacked by the giant bear.
The bear spray is designed to protect people from very specific risks in the event that you’re up against an aggressive predator like a grizzly bear. If you run the risk of being mauled by an angry grizzly bear, use the bear spray. This is an example of utilizing the proper protection mechanism based on the unique risk. It is imperative that you deploy the appropriate protective control(s) based on the actual risk you are faced with.
The same concept holds true in the digital world. There is a wide variety of cybersecurity controls, such as firewalls, anti-virus agents and data encryption technologies that are designed to protect organizations from different types of cyber threats and vulnerabilities.
There are also limited resources available (time, money, and human capital) to properly implement cybersecurity controls, train employees how to use them and then maintain those controls going forward.
Limited resources force us to be selective about which cybersecurity controls we choose to deploy. The decision to implement protective measures against cybersecurity threats should be entirely based on the desired level of overall risk reduction. It is hard to reduce the risks posed by cybersecurity threats if you do not have a clear understanding of a few things in advance.
First – you must clearly understand what all the unique risk events are. In other words – what are the bad things that could happen because of the cyberthreats and vulnerabilities that exist? Examples may include:
- An unsuspecting employee falls victim to a crafty social engineering attack and accidentally downloads malware that then propagates the network, encrypts all data and demands a ransom be paid in exchange for the decryption key.
- A forgetful employee leaves their company laptop in the hotel room and it is lost forever.
- A hacker successfully gains access to a public facing server after cracking the password using brute force.
Second – you must clearly understand the likelihood of the risk event occurring. Consider industry trends, historical data (has this ever happened before?), existing controls already in place, and the unique business operations of the organization. For example – we stated above that an employee may lose their company laptop, but now we must challenge ourselves to determine how likely it is that this particular risk event will occur. An organization that has hundreds of traveling consultants is far more likely to have one of them lose a laptop than an organization that has employees operate out of a single office location and does not permit mobile devices to leave the building.
Third – you must clearly understand the tangible and intangible impacts to the organization if the risk event occurs. Consider the ability to conduct normal business operations, the health and safety of employees and customers, brand reputation, penalties or fines, and loss of revenue. Using the same example from above – what would be the impact to a company’s security level, public reputation, and revenue if an employee does lose that laptop?
Understanding what bad things can happen, how likely it is that they will occur, and how painful it will be to deal with them are all critical pieces of knowledge to have before making a decision about what types of protective controls to spend your limited resources on. Remember, the goal is to reduce overall risk. Figure out what specific risk events are most likely to happen and will be extremely painful to deal with. Then decide what protective controls you should put in place to prevent those risk events from occurring.
If you’re faced with a grizzly bear, you’re going to want that bear spray ready to protect yourself. Make sure the cybersecurity controls you invest in will address your actual risk as well. Contact the experts at TAG Solutions today to make sure your cybersecurity framework is strong enough to protect your business and network.