From the most basic perspective, using the Internet has become incredibly risky because the bad guys, criminals, hackers, malicious, and, in some cases, just curious users, have recognized the Internet as a source of almost limitless information. In today’s digital economy, information = money. All data, no matter how innocuous or almost irrelevant it may seem to you, has value to someone. And because even today with everything we know about the risks and about protecting ourselves, the vast majority of both large and small companies online aren’t taking adequate steps to protect themselves. Combine a wealth of information (remember, information=money) along with a bunch of unprotected systems hosting that information, and you create a breeding ground for criminals to make a very comfortable living online stealing information and holding systems hostage (the cost of cybercrime is estimated at $6 TRILLION in 2021 by Cybersecurity Ventures). If you aren’t taking reasonable effort to protect yourself and your business online, you’re simply helping to perpetuate the problem. It’s time to break the cycle!

You may have heard of the Internet of Things (IOT). IOT refers to the billions of devices in comparison to people that are connected to the Internet. Rather than laptops and desktops being used by people, IOT devices are typically purpose-built devices that are performing a specific function. Think of the myriad of new smart home devices like the Google Nest and Amazon’s Alexa. Even your Smart TV is connected to the Internet so you can run Netflix or Disney+ right from the TV without any set top boxes. Every one of those devices (TVs, refrigerators and other smart appliances, smart home devices like light switches, garage door openers, front door cameras, the list goes on) has an Internet address and is able to talk to the Internet, just like you do when you’re on your laptop or home PC surfing. Each one of those devices represents a potential security risk if it hasn’t been properly secured. If the average household now has 10 or more connected devices, that’s 10 places where poor or non-existent security controls could provide a hacker into your home network. With so many people now working from home, someone on your or your employee’s home network is one step away from accessing the sensitive company information on your corporate network.

Simply put, cybersecurity protects everything companies (large and small) and individuals require to prevent hackers from gaining access to the information and possibly disrupting their business operations. Cybersecurity includes people (you, your users, and your suppliers), processes (things you need to do, things you and your users shouldn’t do), and technology (tools to protect your users and systems, tools to identify potential or actual security issues, and to alert, track, and record what’s happening and help you respond if a security incident does occur). Good cybersecurity hygiene helps ensure your company is proactively ready to deal with an incident, rather than reactively responding to an incident without any type of game plan or response capabilities already in place. It’s the door that you always lock, the alarm you always turn on at the end of the day, the camera system that’s always watching. Proactive activities help prevent an incident from happening in the first case and provide you with accurate and instant information if it does.

First you need to know what a risk management program is before you decide if you need one. Simply put, it’s a program that helps you identify the risks your business faces and provides guidance for addressing those risks. It’s not something you do once, instead it’s something you revisit at least annually and sometimes more often depending on your business and regulatory/compliance requirements you may face. The goal of the program is to help you be prepared to deal with common risks you face, have your tools and processes in place to respond if need be to an incident, and ensure that what you’ve put in place is effective, not just at the time you implement it but also in the future. Networks, systems, and people all change with surprising regularity in most companies. The periodic “health checks” ensure that your people, processes, and technology are all up to the task which you’ve assigned them.

In most companies, having an acceptable use policy allows you to set a baseline set of expectations for your employees and any users of your corporate network and resources. Think of it as a list of do’s and don’ts: Users shall use strong passwords, users won’t share their account information with anyone else, users won’t go to inappropriate websites while using a company PC or laptop, or while connected to the corporate network. Most statements should be common sense, but not everyone will understand them. Another challenge of the acceptable use policy is that it usually talks about what users should and shouldn’t do, but it doesn’t talk to them about why they should or shouldn’t do those things. Aligning your acceptable use policies with employee awareness training ensures that your users understand why they are being asked to do or not do certain things, making it far more likely they’ll follow your policies.

Policies are the lifeblood of risk management for any organization. Without policies, people don’t know what they should or shouldn’t do, how they should behave, etc. This leaves your company and its information open to unnecessary exposures. With a good set of policies in place, you ensure your users will take reasonable efforts to help protect the company. You can also demonstrate to your customers what you’re doing to manage risk inside your company (and more and more these days, they’re starting to ask about the protection of these risks). Policies are implemented using 3 key components: The policy itself which outlines the requirement/s, some process or technology to help enforce the policy, and a way of validating the effectiveness of the policy-in other words, is it doing what it’s supposed to be doing? Without all 3 pillars, you’re actually exposing the company in many cases to greater risk. If you just have a policy but do nothing to enforce it, people may think you’re protected when you’re not. If you create a policy and put something in place to enforce it but then don’t validate it periodically, it may stop working or a change may make the policy ineffective, without periodic health checks you may be exposed and never know it until it’s too late.

Viruses and malware and ransomware, oh my! These are just a few of the risks that users face every time they connect to the Internet. Phishing emails are sent to unsuspecting users with links that, when clicked, try to install software on your laptop, pc, and even your mobile phone. This allows them to do things you wouldn’t want them doing. In some cases they can take over the machine and steal information from the machine. With ransomware, they can even encrypt your machine entirely, after which they’ll happily sell you a key to unlock your files but for a healthy price of course. Losing access to your computing device, having your data stolen and sold to the highest bidder, and having your bank account emptied out-all of these are very real risks that people suffer every day while using the Internet. You can go a long way towards managing these risks by taking a proactive approach to risk management for you, your company, and your employees.