All business decision makers must deal with risk at some level, whether it’s market risk, cybersecurity risk or financial risk. For all of these (and other) risks, proactively making a choice is far better — and safer — than leaving things to chance.
In the technology arena, this is especially true. Two decades ago, most technology risk was focused on keeping systems running and avoiding downtime. While this is still very important, modern threats, such as cyber attacks and ransomware ploys, are upping the ante considerably. Tolerating excessive risk regarding networks could open the “back door” and invite cybercriminals onto the network.
Shrewd business leaders will evaluate their risk management options regarding network strategies and select the one that is the best fit for their risk tolerance. Targeted risk mitigation can literally pay for the programs and services that provide that protection. Following are our thoughts on five risk mitigation strategies.
- Risk Avoidance: With this approach, business leaders develop an alternative strategy that allows them to avoid as much risk as possible. In the case of network strategies, this would require taking a “spare no expense” approach to ensure the network — both its core and its endpoints — is protected to the greatest degree possible. Enhancements that would help achieve that goal are risk assessments, network access controls and continuous network monitoring, stringent firewalls and deployment of antivirus software, and a rigorous patch management schedule.
- Risk Transfer: With this method, organizational leadership contracts with a third party that assumes the firm’s risk and consequences of negative outcomes. An example of this approach would be outsourcing network management to a third party that provides a very strong uptime guarantee backed by a commitment to cover losses due to outages and other problems. Unfortunately, as the risk of IT outages due to natural disasters, outdated infrastructure and careless personnel has elevated, this option has become increasingly expensive, as well.
- Risk Reduction: This option involves a measured approach whereby organizational leadership decides how much risk they can bear and then enacts policies and procedures aimed at limiting their risk to that level. This is a reasonable compromise for many companies, but leadership should ensure they are weighing all the variables, including potential compliance penalties and other negative consequences, if their IT risk-reduction strategy fails to protect the firm and/or its clients.
For example, if the organization does not have a full-time network administrator and other IT specialists on staff, they might look to an outside provider whose experts can effectively weigh all the variables to determine whether or not the risk reduction is sufficient for the risk involved. The outside firm could then help them map a plan for future improvements.
4. Risk Spreading: Risk spreading is another mechanism for reducing risk in a calculated fashion while accepting some potential consequences of incomplete risk management. For example, a company leader might contract with a third party, such as an IT firm, to provide network monitoring, management and support. In this example, it would be important to explore the firm’s uptime guarantees and other metrics to confirm the level of responsibility the outside provider is assuming.
5. Risk Acceptance: Here, the business owner agrees to accept the risks of not being proactive regarding risk. While some business owners take this approach, we don’t recommend it. Even firms with significant backing and/or limited exposure to risk (e.g. closed, hyper-secure networks and few significant exposure points such as remote workers) are vulnerable in today’s risk-laden business operating environments.
At a minimum, firms that plan to accept their current level of risk should contract with an outside IT provider to perform a vulnerability assessment of their current network systems, infrastructure and endpoints to ensure no new vulnerabilities have crept in, unnoticed.
We have encountered business leaders who feel paralyzed and unable to determine their IT risk and choose to ignore it altogether. We urge company leaders not to take this approach. Company leaders who accept network risk without proper analyses are setting themselves up for the loss of public confidence, compliance violations and potential business closure.
Getting Help with Your Decision Making Process
At Carmichael Consulting Solutions, we have decades of experience helping business owners evaluate and benchmark their risks, from network threats to lack of employee awareness. We also work with them to explore and mitigate their exposure points, not only with networks but also for IT systems, employee devices and more.