Balancing business survival, cyber risk, customer compliance, and privacy compliance
Pandemic impact on Managing Risk
Businesses of every size are dealing with a perfect storm created by the COVID-19 pandemic. Prior to the pandemic, there was a growing recognition of the need to balance of business growth with risk management from cyber risk, third party compliance requirements and regulatory compliance for information security and privacy. In the Marsh-Microsoft 2019 Global Risk Perception Survey published in September of 2019, Cyber Risk was identified as a top 5 concern of 79% of the respondents and regulation legislation was identified as a top 5 concern of 55% of respondents.
Of the following business threats, please rank the top 5 that are the biggest concerns to your organization1
But importantly, in that survey, economic uncertainty was identified as a top 5 concern of respondents 59% of the time.
Today, because of the pandemic empirical evidence of closures of SMB businesses and bankruptcies of many large organizations that have lost sales suggests that economic uncertainty has likely catapulted to the number 1 risk of many organizations. An almost ridiculous question now exists:
Which is a higher priority to the business”
- dealing with the sales/cost issues caused by the pandemic or
- preventing significant loss to the business caused by ransomware/data loss/regulatory fines/privacy suits/loss of business from failing to meet customer compliance requirements?
Sadly, some organizations caught in the perfect storm have no choice but to first try to survive. One must be able to breathe before worrying about anything else. For those that are growing because the perfect storm multiplied their opportunities, e.g., those associated with e-commerce, logistics associated with e-commerce, essential businesses like grocery stores, and those that have enough sales to stay afloat, there are rational ways to weather the perfect storm. These start with implementing the lowest common denominator to address cyber risk – implementing “reasonable” security practices and procedures. The word “reasonable” is very significant because it satisfies the minimum regulatory and real cyber security requirements. These requirements are the foundation for protecting the business, satisfying data breach regulations, and an underlying requirement for privacy regulations. The word “reasonable” is baked into laws. The acid test for “reasonable” is in the results of legal decisions. Every legal decision on the adequacy of “reasonable” security is founded on having a cyber risk management program in place that balances protection of the business, its customers and any others. While the Marsh-Microsoft 2019 Global Cyber Risk Perception Survey shows that 88% of organizations assign accountability to the IT and Information Security groups in their companies, every organization needs a way to understand what is enough security. Without a cyber risk assessment and on ongoing process for updating cyber risk management, it is difficult to understand how much is enough.
Risk management is not only the foundation of “reasonable” security, it also answers the question of how much is enough and allows the business to accept risk.
Pandemic and Privacy
For organizations that must address privacy during the pandemic, there are rational steps to leverage privacy to improve the value of the organization brand, lower cost of implementation and ongoing operation. We find that most organizations have not yet addressed their privacy compliance requirements and those that do often think they are minimizing cost when they are actually increasing ongoing operational cost. A follow-on post is forthcoming on this.
1 Marsh-Microsoft 2019 Global Cyber Risk Perception Survey