When developing a risk management plan, organizations spend a lot of time assessing their threats and vulnerabilities — and that is how it should be. However, there is no one-size fits all solution to risk management and we find that firms sometimes need help prioritizing where to budget. That is where consequences comes into play.
Unlike cyber threats, that are always changing, the consequences of a cyber attack can be known and planned for. To assess consequences, consider: (1) What will happen if we get hacked and (2) how can we deal with this proactively?
When starting a risk management plan, instead of starting with the unknowns (cyber threats), start with what you know and build from there by asking these questions:
- What are the unacceptable losses? It could be money, system access, personal contact information, trade secrets, private data
- How can these losses (consequences) be proactively addressed?
- What resilient systems are in place to minimize unacceptable consequences?
- How can we utilize people, process and technologies to constrain unacceptable consequences?
By using this strategy, SMBs with limited IT budgets, can plan to proactively address and constrain very real consequences and unacceptable losses, instead of chasing the always-moving target of cyber threats.