Cyber Risk Assessment: A Tale of Two Cyber Cultures

Remember those brothers we read about as kids back in the day?

They are all grown up now and leading their own companies. While they share a past, their present looks very different, especially when it comes to cyber wellness and building a workplace culture that supports good cybersecurity practices.

One of these companies has endured punishing cyber breach activity, EFT fraud, and ransomware. The other is experiencing strong growth and impressive cyber resilience. See if you can guess which is which.

Managing Cyber Risk Is an Executive Responsibility

Mr. Goofus thinks cybersecurity is just a fad, a shakedown for schmucks, and cannot be bothered with any of it. It has never been a problem in the past, so why should anything change? It will not happen to us. Nobody is even targeting us.

Mr. Gallant knows better. He understands that managing cyber risk is a serious executive responsibility and that ignoring it is a massive oversight. Breaches can happen at any time, so the XYZ team takes cybersecurity seriously as part of their overall risk management strategy.

Third Parties, Trust, and Costly Assumptions

Mr. Goofus trusts his vendors completely. There is no need for any time-consuming process to learn new skills with friends and partners like his. Nobody pulls the wool over his eyes. He pays everyone promptly, with no questions asked.

Of course, nobody talks about the time he got tricked and lost $483,000. If the board ever knew.

Mr. Gallant takes a different approach. His company has completed a thorough cyber awareness training program and follows best practices created by cybersecurity experts. Payment requests are validated using clear processes designed to prevent fraud. He and his team double-check requests with a phone call to ensure it is not EFT fraud. So far, it has kept them out of trouble.

When Cybersecurity Controls Are Missing

Mr. Goofus had a big night with clients and wakes up furious. Every computer now shows a blue screen demanding a ransom payment. Nobody knows what to do. Some people are thinking of going home until it is fixed.

He fires Tony in accounting for rolling his eyes and storms around yelling while calling IT firms to create a plan. Meanwhile, the business is losing millions by the hour.

Mr. Gallant’s workplace looks very different. Everyone knows their role. Employees are trained. People are rewarded for doing the right things. He provides acknowledgment, encouragement, and perks for teams that support cyber risk initiatives. Yesterday, he announced positive results, improving scores by 17 percent over last quarter. The top-performing department received gift cards.

Cyber Resilience Creates Business Advantage

Mr. Goofus just authorized Karl to send $2 million in bitcoin to an account in Uzbekistan and told him not to tell a soul. Executives scramble to explain a payroll crisis while rumors spread. Nobody feels safe. Everyone is updating their résumé.

Mr. Gallant, on the other hand, just announced a major new win. His company earned the business of a key new client and partner. They had to prove they could be trusted with exchanging sensitive data. Thanks to a strong cyber culture and trained workforce, they stood out against the competition.

He is a great boss.

Why a Cyber Risk Assessment Changes Everything

In case there is any confusion, the company struggling with cybersecurity issues is Mr. Goofus’ ABC Enterprises.

The best thing he could do is start with a baseline to understand where the real issues are. A cyber risk assessment that identifies specific vulnerabilities helps leadership get focused, prioritize action, and begin the journey toward long-term cyber resilience supported by practical cybersecurity controls.

For additional guidance on recognized best practices, readers may find value in:

• The NIST Cybersecurity Framework, which outlines proven methods for managing and reducing cyber risk: https://www.nist.gov/cyberframework

• The Cybersecurity and Infrastructure Security Agency (CISA), which provides practical resources for organizations of all sizes: https://www.cisa.gov/cybersecurity

If you want guidance from a partner who understands the realities facing SMBs, explore guidance for SMB leaders strengthening security or learn more about tekrisq’s approach to cyber risk.
Risk professionals and advisors can also find value in resources for risk professionals and MSPs.

Ready to schedule an assessment for your business? Start the conversation with tekrisq today.

Definitions

Cyber Risk Assessment
A structured evaluation used to identify vulnerabilities, assess likelihood and impact, and guide a practical risk management strategy.

Cyber Resilience
An organization’s ability to prevent, withstand, recover from, and adapt to cyber incidents without disrupting operations.

Cybersecurity Controls
Technical, administrative, and procedural safeguards used to reduce cyber risk, prevent fraud, and limit damage during incidents.