How To Quantify & Assess The Financial Impact of Business Closures on Your Bottom Line

How To Quantify & Assess The Financial Impact of Business Closures on Your Bottom Line

The unfortunate reality for businesses of all sizes right now are spontaneous business closures (or deciding whether now is the time to reopen your business!)

And with COVID-19 outbreaks at your physical locations meaning potential mandatory lockdowns, as well as deciding whether to re-open at all it’s important to know the figures and what it could cost you.

We wanted to share how you can use Boardish to quantify into hard numbers what this means for your business.

  • Is it more cost-effective to keep your physical locations closed rather than adopt new procedures?
  • What is the real ‘solution’ cost of implementations? (including the cost of your expert’s hours and time)
  • What is the sales loss for your business closure?
  • What is the regulation impact for remaining closed? (and does this pose a higher risk to you?)

With Boardish you can compare the cost of a closure to your business and the full solution cost to your turnover so that you can decide which areas of the business are still viable. PLUS make a quick decision with all the numbers once you’ve run your simulations.

Once you’ve input your company information you can run several simulations on different scenarios so you can see the full picture quickly, and then use this information to get a fast decision from the board or decision-makers.

Boardish which will give you a snapshot of the information you need on the company right now, and you have complete manual control over the effeciency of your solutions so you don’t have to consider AI learning time, or integration into your systems!

The Boardish Web App is ready to go right now, and you can do all this in the FREE Boardish Basic Tier! 

Take a look at our video above where it runs through the exact process. So you can quantify exactly what you need right now! 

Quantify business closures

And which solutions are cost effective (and which aren’t) 

What You Need For Career Progression From ‘just’​ a tech person to Technological Management (CISO, CIO, CTO etc.)

What You Need For Career Progression From 'just'​ a tech person to Technological Management (CISO, CIO, CTO etc.)

As someone who was a “techy” for many years, aka “Installed & and Managed Server 2003 with Exchange 2003 (before SP1)” in my early days as a system administrator. So, I know how tricky the transition from ‘tech’ to ‘management’ is.

In Essence, the transition is taking all of your Technical knowledge and using it to implement smarter business decisions based on technical knowledge and not technical decisions based on technical knowledge.

Basically…

Installing and managing “Decisions and Methodology” rather than software and hardware.

When you initially start as a Helpdesk person, Networking Person, or System Administrator etc. your entire focus and terminology are technological. You need to think in “technological” language and provide technological solutions to technological problems.

But, when you climb up the ladder you get more opportunities and responsibilities to interact and ‘troubleshoot’ at an operational level.

This is where many professionals get stuck and struggle to progress in their careers because they don’t adapt their methodology and terminology into ‘business speak.’ They revert to “Technical Solutions for Technical problems”

But I wanted to share 3 ways you can get started transitioning from tech to management that I found useful in career progression.

#1 Research your business (and understand it)

In the same way, you would treat technical learning and research when you’re troubleshooting. Talk with your colleagues, and make sure you know the business you are working in/with:

  • What does the business do?
  • What is the vision of the business?
  • Who is the target audience?
  • What is the USP ( Unique Selling proposition) of the Business – how to do this business differentiate itself?
  • Who are the competitors?
  • What are the biggest challenges the business is facing?
  • What role does technology play in the business function?
  • What technological risks are the biggest right now?
  • How does the business get impacted by these risks?

In Boardish, for example, we also encourage you to look at how many users are impacted by technology and to what degree. We classify them in ‘high, medium, and low’ impact users. Which means the number of employees that will lose significant working capabilities when technology is unavailable ( high reliance on Technology )boardish employees information table

Knowing all of these things is the first step to making meaningful inputs and decisions at management levels and beyond. Particularly if you’re aiming for the CISO position.

#2 – Familiarize yourself with business & risk terminology:

You need to see how technology relates to the business as a function in the macro, rather than the fixes in the ‘micro’ and this means learning and understanding many terms. Particularly if you’re interacting with other departments or decision-makers.

This means stepping outside of the technical and understanding things like:

  • Annual company turnover = The total sales made by a business in a certain period. It’s sometimes referred to as ‘gross revenue’ or ‘income’. This is different from profit, which is a measure of earnings. It’s an important measure of your business’s performance.
  • Market positioning = The competitive advantage of an organization and the ability for your business to influence its customers. Sometimes this is discussed as ‘brand positioning.’

As well as risk terminology (these are taken from our Boardish ecosystem) including:

  1. Market Loss – The number of sales lost as a result of a threat or combination of threats to the organization. 
  2. Sales Loss – The number of sales lost as a result of a threat or combination of threats to the organization. 
  3. Salary Loss – The amount of financial impact on salaries as a result of a threat or combination of threats to the organization
  4. Regulation Loss – The financial impact to the organization in the event of being hit by regulation fines as a result of a threat or combination of threats to the organization. 

#3 – Start evaluating how effective your tech solutions are against threats

You will already know technological risks and threats to the company, e.g. ransomware etc. and you already know your preferred way of protecting against them.

But now it’s time to quantify them for the business.

How effective are your solutions (or combination of solutions) at protecting against these threats? And how much money can you save the business by deploying certain solutions?

Translating tech to business is a key milestone in your career progression that is going to help you get from techy to manager and be more heavily involved at the decision-making level.

Get started by running simulations on Boardish. When you set the TPF (Threat Protection Factor) this is where you find how efficient the solutions are against the threats in financial numbers! Boardish Basic is completely free for you to test and experiment yourself as you get to grips with the new terminology and knowledge and make the steps towards speaking the language of the business.immobility TPF

Sign up to Boardish here: https://app.boardish.io/login

Learn more about Boardish: https://www.boardish.io/

Eli Migdal – Co-Founder of Boardish.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

Rebuilding Your IT Budget After COVID-19

Rebuilding Your IT Budget After COVID-19

The COVID-19 pandemic shows just how hard it is to prepare for major business disruptions. Nobody expected a global pandemic to throw off so many businesses and many have not properly quantified the risks of being affected long-term in such an event.  

Lots of businesses have had very little time to prepare for the impact, with business continuity plans not including the scenario. Crisis management now revolves around abandoning budgets completely and cutting expenses wherever possible just to try to stay afloat.

Unfortunately, this means that every expenditure and every budget from major functions are being scrutinized, cut down, or removed completely.

Moving away from reacting

This approach is to be expected as businesses have had no other choice but to go for what many would describe as a knee-jerk reaction to COVID-19.

But now, in the middle of the crisis, businesses need to make time to move away from the reactive approach and work on long-term pandemic mitigation strategies if they want to stay viable.

Pivoting quickly is the name of the game and that includes reevaluating expenditures, impact, and short or long-term goals amidst this novel crisis.

Getting the priorities straight

The number one priority is to keep the business viable. For most, this means accelerating the digital transformation, enabling employees to work from home and offering services online.

As an IT and cyber professional, you’ll need a way to show the board the impact the COVID-19 crisis has on business technology, how it affects employees, the impact of downtime, new regulations, and how your solutions can help mitigate negative effects.

You need a way to make it abundantly clear what parts of the IT budget are needed for keeping all essential services and functions and making a move towards digitization and business functions.

For all of this to be justifiable in times when boards have taken a cutthroat stance towards most expenditures, you need to quantify everything single IT expense right now.

Remember, the board is now looking to take away anything they deem unnecessary, so don’t go for any type of “nice to have” things in the IT budget – you need to rebuild the budget according to the current crisis and make a good case for the crucial “staying in business” expenses right now.

Boardish helps you rebuild your IT budget

As a tool that can quantify different cyber and technological events and regulatory changes, Boardish helps you present what really matters to the board right now – solutions that will keep the business running throughout the crisis and which options will mitigate the impact on the business the most.

With most employees staying home, the business will need a robust platform that will enable them to connect from home and work efficiently, but at the same time mitigate any risk of cyberattacks when connecting this way.

Maybe the organization is not ready to implement such a system now, but the alternative – not working for a while – is actually worse than they think, or is it? You can quantify whether it’s better to ‘hibernate’ or ‘push forward’ using financial figures.

With Boardish, you can show the board the impact on the bottom line in case employees can’t work from home at all, versus working from home with different platforms and solutions that can help keep the operations running.

While implementation in the middle of the crisis sounds like something the board would never agree to, with the numbers for your specific business to back you up, you can show them that stopping operations or even letting people go will cost them more in the long run can make it harder after the crisis is over.

With real figures to back you up, you’ll be able to make a solid case in front of the board and ensure your IT budget can support the business and operations through these uncertain times.

Boardish started as and always will be an IT budgeting tool that helps gain immediate clarity. Rebuilding the budget is much easier when you can quantify everything and speak in financial figures instead of just labelling risk as low, mid or high.

White label BI

Start Rebuilding Today

We’re well aware that right now you can’t invest in anything that’s not considered absolutely crucial to keeping the business running.

Because of that, you can use all of the Boardish features for free for the next 2 months during the COVID-19 pandemic, in order to get the clarity you need.

It’s time to put these new risks into actual numbers and bridge that communications gap with the board.

Rebuild your IT budget

And explain essentials vs non-essentials to decision-makers

Updating Your DR/BCP with Quantifiable Figures For Covid-19 (For FREE With Boardish)

Updating Your DR/BCP with Quantifiable Figures For Covid-19 (For FREE With Boardish)

*Written by co-founder Eli Migdal, and first appeared on his personal Linkedin here

Covid-19 is forcing many companies to re-evaluate their Disaster Recovery (DR) and Business Continuity Plans (BCP).

Previously DR and BCP were mostly focused around natural disasters like earthquakes, floods, and in some cases like my home country of Israel, rocket fires or a state of war.

Until now, the solution for most disaster recovery scenarios was a ‘remote site’ which size was usually dependent by the size and requirements of the company.

I have personally designed and had the unique experience of testing real-life BCP plans that provided a solution for “Rocket Fire/State of War” which required the critical people of the organization to fully work from a remote site and in one scenario even focus the core of business to another country!

But, with Covid-19 it is different, it has several new vectors that need to be updated in your DR / BCP!

  1. Social Distancing – The instruction not to gather groups of people in one location means that “remote sites” is not a viable solution. Regardless of the site location, you can’t go to work.
  2. Global Impact – Most DR scenarios are focused around a region or, worst case, a country. But in this case, the impact is global so not only will shifting your key person to another country not work, but you may also have to adjust your operations across multiple countries at once.
  3. Lack of Preparation – Working from home became one of the only solutions but it also brought up several challenges. Things like poor security, home grade networking equipment not “cutting it”, home grade bandwidth not being sufficient.

So these new risk factors/vectors need to be included in our Disaster Recovery, and Business Continuity Plans. We need to quantify them so we can actually make a decision based on the financial impact they will cause.

Using the free version of Boardish (boardish.io) you are able to quantify the exact metric for each threat, and the impact of that on your business.

For example, using the “Main site is not accessible” threat. What are the questions you should ask yourself when quantifying?

  1. What is the chance of losing market positioning?
  2. How many turnover days will you lose? (and what percentage of the productivity is lost. For example, will you lose 100% turnover or will you have some operations at 60% for example).
  3. And how many workdays are lost for each type of employee? That will depend on those who are highly impacted by technology or not*.

*An important note: a threat like “main site not being accessible” has a very unique characterization to it. The “Low impact users” ( those who are less reliant on technology ) will be affected in higher quantities. For example, your high impact users (high technological reliance) will have a laptop or VPN so the threat impact is ‘low’ but your ‘low impact user’ (low technological reliance) will be impacted more because there is no technological solution for them so they will lose more workdays.

(This is the exact opposite from quantifying the Ransomware threat because the users who are heavily reliant on technology will be impacted the most)

Then select your Solutions, for example below:

Set the efficiency of the solution against the threat, for example below:

Define how many human resources do you need for each Solution:

Define the regulation impact ( usually very low or none in this scenario ) and get your dashboard. Using this info will make it very EASY to quantify your DR / BCP plan and get it approved quickly by decision-makers.

Try Boardish for free here: https://boardish.io/

Best,

Eli Migdal – the Founder of Boardish.

Update your disaster recovery for covid-19

As well as your business continuity plan with actionable financial figures

Where to Find Out About Cybersecurity Events

Where to Find Out About Cybersecurity Events

identify business cyber threats

Without a way to identify business cyber threats yourself, you can only wait for an attack, which will cost more than taking a proactive approach. 

This means doing some legwork to keep up with new developments in both cyber threat and solutions.

But where can you find out all the latest developments on cyber threats? 

You can start with data sources that keep track of the common vulnerabilities and exposures (CVEs) – such as official CVE sources, security blogs, publications, groups, and vendors who share news about the latest CVEs.

CISOs struggle to keep up with new cyber threats 

Your primary focus should be CVE news about vendors and systems that your business is currently using, and their impact on your systems (Common Vulnerability Scoring System – CVSS). You must be able to react quickly if the severity rating is high or critical.   

But the CISO’s management of security risk is becoming increasingly complex, partly due to threat actors. They are becoming more aggressive, using automated methods and disseminating more malware with fewer resources to do so. 

This rapid increase in attack frequency leaves CISOs overwhelmed by the volume of attacks, the number of malware variants, and their volatility. 

Such trends make it increasingly hard for CISOs to identify business cyber threats, monitor the attack surface exposure, or even analyse the cyber risk

Seeking cyber threat information in the right places 

CISOs can make their job easier by actively following security blogs and groups that share updates on CVEs, as well as official CVE sources.

The best option is to subscribe to cybersecurity groups, news sites, and big vendors to get the info from all relevant sides: the vendor and researcher angle, with focus on systems and vendors they are using. 

Some places that help are AON that releases annual cyber risk reports. They are a good starting point for identifying business threats with the highest risk for your particular industry and business type.

  • CIS has a great cybersecurity information hub. It’s updated regularly with new business threats, outlooks, and advisory news, and has a top list of malware for the previous month. 
  • Microsoft’s blog shares diverse information and keeps its CVEs up to date. It explores topics on security priorities, cyber risk assessment, regulations, and solutions, among others.   
  • Malwarebyte’s blog shares educational articles, how-to guides, and weekly news roundups on cyber events. Sophos Naked Security blog discusses the newest security events, settlements, leaks, vulnerabilities, and hacks, and has their own security podcast.  

CISOs must make it a habit to check for new developments at least several times per week.

Finding cyber threats on the dark side 

Zero-day cyber threats are troublesome because most responses to them are reactive because vendors and developers didn’t share an update on the existence of CVEs just yet. 

Lots of security professionals feel as if there isn’t adequate information out there that would help them stay safe from these attacks. 

Browsing the dark web forums for possible vulnerabilities is one solution – just ensure that you stay in the legal zone while you do so. 

You will stumble across blogs on the dark web that mention exploits without an official CVE record. It doesn’t mean the threat is negligible; it just means the vendors or developers are unaware of it at that time.

Threat actors will often stay a step ahead, so use this to your advantage and check dark web sources and make sure to gauge the impact on your systems anyway. Just in case. 

Only a proactive approach like that will help you identify business cyber threats and minimize the risks of zero-day attacks. 

Overall

The cybersecurity landscape is experiencing shifts almost daily, so you’ll have to dig into the news at least three to four times a week (if not more) to stay up to date. Proactive searching and focusing on cyber risk mitigation is the only right approach here. A reactive approach doesn’t include mitigation. By the time you react, the damage is already done!

Be Proactive

Explain why/how your solutions work, to a non-techy audience. 

Are Soft Skills Becoming More Important Than Tech For IT & Cyber Pros?

Are Soft Skills Becoming More Important Than Tech For IT & Cyber Pros?

Soft Skills for IT

It wasn’t that long ago that IT professionals were hired for their IT knowledge and specialisation. The so-called hard skills they learned through education, training, certification, and on-the-job experience were all that was important. 

Now we see a shift in what organisations are expecting from cyber professionals in particular. The most prevalent trend for new IT roles is a large emphasis that’s placed on soft skills. 

The Shift Towards Soft Skills

The inclusion of soft skills to the list of wanted skills for IT and cybersecurity roles shows that the field is maturing. 

The West Monroe Partners study “Closing the Technology Leadership Gap” reveals that 98 per cent of HR leaders confirmed they place high importance on soft skills for getting a technology position, and a staggering 67 per cent didn’t offer a job to a candidate with all hard skills because of lack of soft skills: 

Soft skills are an integral part of the individual’s personality. They determine how an individual will respond to pressure and different circumstances in the workplace, how they will adapt to changes and interact with others. 

This shift in requirements is partly due to changes happening to the role of IT and cyber professionals within organisations now—they aren’t an isolated unit that just keeps things running. 

They are becoming an integral part of the C-suite, with CIO, CSO, CISO, CTO, CDO roles helping IT contribute to business success. 

Recently, IT and cyber pros are in more and more contact with the board or key decision-makers. They must have a proactive approach, and they must ensure that IT is in sync with the organisation’s long-term goals. 

Most important of all, they must be able to develop strategies that will help achieve such goals and have the means to explain these strategies and complex subjects from their field to stakeholders who do NOT possess hard IT skills and won’t understand the technical focus that will make it possible. 

The Soft Skills Gap Is Driving the IT Talent Gap

And while there are cybersecurity and IT talent shortages across the globe, organisations are demanding that IT and cyber pros have a good set of soft skills,  and opting to leave the role vacant for longer if necessary.  

Their reasoning? It’s easier to teach hard skills than soft skills. 

While this might be true, teaching soft skills will yield good ROI as well, as was demonstrated at MIT. It will take a while for organisations to offer professional development in soft skills, so IT and cyber pros might want to focus on developing these on their own. Doing so means being able to command a much higher salary and benefits. 

What Soft Skills Are the Most Important? 

Whenever an IT or cyber pro can’t use their vast knowledge and experience to get an approval for new solutions or strategies, a soft skills gap might be the culprit for it—communication skills, in that particular case. 

In the digital era, IT and cyber pros have become a go-to source to help with crucial business decisions. By using the right tools and language, IT and cyber specialists can make the board understand the impact of new IT and cybersecurity developments in a way that matters most—the financial impact on the company bottom line. 

IT pros who are well-versed in soft skills and know their way around business terms will have an easier time presenting their findings in front of the board. The most important soft skills for the IT field will be: 

  • Communication and negotiation skills – The ability to effectively communicate and explain your findings, risks, solutions, and strategies to the board and other stakeholders.
  • Presentation skills – Oftentimes, IT pros will find themselves in a position where they must present their findings to those who don’t have a technical background or leading a course on cybersecurity threats and new IT solutions to in-house staff. Knowing how to shape the presentation will decide whether the subject is clearly understood or not. 
  • Adaptability and problem-solving skills – The IT and cyber landscape is in a state of constant change, with new issues and threats being revealed each day. A professional with  well-developed creative thinking skills will have an easier time troubleshooting and solving IT and cyber issues, and have no issues with being an early adopter of new tech solutions. 
  • Teamwork and conflict resolution – IT and cybersecurity professionals now work side by side with other departments, so being a good team player who knows how to defuse tense situations when working towards a common business goal takes priority over being a solo player focused on their own success. 

What soft skills play the most important role depends on the IT role within the company. 

  • Managerial positions require communicating changes, leading meetings, make presentations, and explain problems and issues. 
  • Leadership roles require communication, active listening and analytical skills, translating technical requirements to terms that are understood by all, breaking down complex concepts, and documenting issues and actions. 

The biggest issue with soft skills is that it’s hard to teach and learn them, but it is not an impossible task. 

Developing Soft Skills as an IT and Cybersecurity Professional

The only way to get better at soft skills is to practice using them. The first thing you must do is to identify areas that you struggle with. Everyone has their strengths and weaknesses, so find out what yours are and then improve. 

Here are a few tips on improving your soft skills: 

  • Ask for feedback – Sometimes, self-assessment is not enough, so ask for feedback to become aware of areas you might have to work with. 
  • Learn from those with good soft skills – When you identify the skill you are lacking, don’t hesitate to take pointers from those who are good with a specific skill. If your colleague is great with explaining complex subjects, ask them to become your coach.
  • Do not shy away from challenges – Be proactive in getting a lead position on tasks and projects, as this helps you hone your interpersonal skills, especially communication, management, and conflict resolution.

Stay Ahead

Most important of all, always be willing to continue learning and improving your skills. The IT and cybersecurity landscape is changing rapidly and will continue to do so. So professionals in the industry need to keep up. 

Cyber and IT pros must be willing to update their knowledge and share their insights and strategies with everybody else in the company and work on improving their soft skills to make communication and presentation efficient and easy to understand.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

How Are New Cyber Threats and Regulations Affecting the IT Budget?

How Are New Cyber Threats and Regulations Affecting the IT Budget?

How Are New Cyber Threats and Regulations Affecting the IT Budget

Recent cyberattacks, are pushing organisations to invest more into their cybersecurity solutions. For example, the ransomware attack on the Eurofins Forensic Services which stopping court cases and investigations dead in its tracks, creating a backlog of 20,000 samples. 

Add this to new regulations directly needing organisations to up their cyber security or face huge fines and you have a greater importance on cyber solutions and therefore your IT budget. 

Here’s how recent developments (both good and bad) in trends, business, and legislation are affecting the IT budget. 

Changes to the IT budget 

IT budgets are seeing shifts in allocation segments due to new cyber threats and regulations affecting businesses across the board. 

GDPR

GDPR compliance continues to be a pressing concern for institutions dealing with sensitive information, affecting SMBs and enterprises alike. Gartner has identified that at least 30 percent of businesses will increase GDPR-related spending by investing in implementation services and consultations with security specialists.  

Implementation of security solutions enabling an increase in control over sensitive data and a better overview of how it’s accessed will be the primary concern, especially in cloud environments that enable remote access to sensitive data. 

Upgrading Legacy Systems

Spiceworks identified outdated technology as the primary reason for IT budget increases, followed closely by security upgrades due to incidents. While EU-based organisations are focusing on GDPR compliance and are allocating additional funds towards security, North American organisations increase their budgets to upgrade outdated systems. 

Gartner also reports that subscription and managed services will comprise almost half of the security software used across institutions, with Security-as-a-Service seeing an increase in uptake over on-premise security solutions. 

Hybrid solutions (having both cloud and on-premise features) are being a serious consideration for many organisations. Still, on-premise deployment remains on top for now.

Increased Allocation on Cybersecurity in Budgets

IT budget spending on cybersecurity is expected to grow by 8.7% compared to only 3.2% growth in general IT spending. 

The most demanded security services will be identity and access management, data loss prevention and identity governance and administration.

What Should Be the Primary Focus for the Organisational IT Budget? 

Ensuring compliance with new regulations and identifying cyber threats that are the highest risk should be considered as a necessary first step towards a safer environment, both online and on-premise.

The risk assessment should be company-wide to ensure all risks are identified and all data locations are included. The IT department must work together with security specialists to determine the highest priority IT solutions to implement.  

Getting Approval from the Board Requires Preparation

Ensuring buy-in from board members is a crucial step in the process. Without their support, IT departments will struggle with ensuring compliance and implementing systems that deal with new cyber threats. 

Board member buy-in can be secured by educating them on the impact of identified risks and how new IT solutions minimise them. Showing real cyber security ROI. 

IT managers must ensure the board is knowledgeable of how much avoiding the issue can hurt the organisation by presenting scenarios where risks are quantified and presented in terms of financial and market impact.

Compliance to regulations often means upgrading existing systems or a complete overhaul of organisational operations, which requires substantial resources. Yet, it still remains the preferable option compared to paying high fines and suffering a huge setback. 

Get IT Budget Approval

Explain why/how your solutions work, to a non-techy audience. 

Maintaining Security Posture in the Ever-Changing Cybersecurity Landscape

Maintaining Security Posture in the Ever-Changing Cybersecurity Landscape

Maintaining Security Posture in the Ever-Changing Cybersecurity Landscape

Your organisation’s preparedness for, resilience, and reaction to cyber-threats—from identification and mitigation to detection, approach, and recovery—is what’s known as your organisation’s security posture. 

The role of CISO in today’s organisational cybersecurity is changing and requires them to take a more comprehensive approach. 

Instead of just being in charge of different parts of IT security (processes, procedures, and policies), the CISO security posture drives the transformation of organisational security to become something more than just the sum of its parts. It helps bridge the divide between policies and processes and the response to security incidents. 

Maintaining security posture ensures that you always have a systematic approach towards risks and possible exposures. As well as a guideline on how to prioritise risks, and how to react and deal with security events.

You will maintain your security posture well when you:

Know the Capabilities of Your IT Assets 

You can’t maintain your security posture without a full overview of your IT assets: software, hardware, people (this includes staff, vendors, and other third-party suppliers you are working with) and their current competences. 

  • Does your staff know how to react in case they detect a breach? 
  • Are they aware of the policies that are in place? 
  • Can your hardware withstand a DDoS attack
  • Are your networks monitored for suspicious activities to easily detect the attacker during “dwell time”? 

By knowing the capabilities of each of your assets, you will detect the possible responses from each of them that might go against your preferred security posture and you’ll be able to rectify them.  

Conduct Continuous Risk Assessment 

An iterative approach towards risk assessment ensures that possible risk factors across the whole organisation are identified on time and helps determine the most probable attack vectors. 

Some examples of possible risks, attack vectors, and solutions are presented below: 

  • Is your staff prone to clicking infected links or email attachments that might introduce an attack vector? Your priority might be additional cybersecurity education.
  • Are your third-party vendors skipping on the right encryption protocols when they access your data, leaving you open to breach through your partners? You might have to find other vendors.
  • Is your network secure and has all the required encryption and policies in place? If not, you might need a comprehensive data protection solution.
  • Are all protocols and certificates up to date and are you secure against external tests? You might need to find a good monitoring solution.

A CISO that actively searches for risks helps determine where the CISO security posture might be lacking additional solutions, procedures, or regulations.  

You’ll have an easier time setting up priorities for each risk, communicating the right approach, focusing, and eliminating additional costs.  

Have an Active and Up to Date Snapshot of the Organisation

Do you have a good overview of your IT inventory across the whole organisation and current risks/solutions and their costs? 

An up to date snapshot will help you maintain posture by identifying areas where you might have to apply a new approach or solution. This is exactly what Boardish does for you—by helping you provide definitive answers to the following questions: 

  • How much exposure does the organisation have, even with its solutions?
  • What are the most probable risks?
  • How will these affect the organisation in terms of actual money lost in salaries, market position, or sales? 
  • What procedures, policies, and solutions are in place for each of them?
  • How efficient are these solutions? 

Boardish can help you not just quantify the risks, but also compare exposure figures before the solution and after implementing the solution. 

Boardish can also help you decide on the most important thing: whether you will accept the risk of exposure to certain security events, or whether it would be better to invest in a solution to mitigate the risk further. Giving you true cyber security ROI. 

Have Guidelines in Place on How to Approach Security Incidents

The role of a CISO in maintaining security posture is ensuring that everyone in the organisation knows and follows the guidelines on anticipating, avoiding, identifying, and reacting to a security incident. 

These guidelines determine the security approach towards each event (is it reactive or proactive) and approach in case the incident happens (does everyone know their role well, who reports to whom, backups, alternative work location, reporting to clients/vendors, etc.). 

The security incident perception also falls under the role of the CISO, who must ensure the incident is treated as a business (and possibly an engineering) issue instead of being an IT problem that you can’t prepare for. 

Preparation should include solutions to minimise the possibility of it happening through quick detection, encryption, monitoring, as well as having continuity solutions in case it happens.

What Happens If You Don’t Maintain Your Security Posture?

Without a definitive security posture, the organisation will often have to deal with the aftermath of exposure, increased cost of solutions, and reactive approaches that might cause even more harm. 

Lack of Prioritisation and Guidelines

Without effective security posture, your organisation will have a hard time determining which exposure risks should be addressed first, and won’t have any guidelines in place on how to react to different security events. 

Lack of Proactive Approaches

Without a clear security posture, your organisation might have to resolve to knee-jerk reactions, which are haphazard and not the best long-term solution. 

Instead of dealing with the issue before it happens and having clear solutions in place, you will have to invest resources into reactive solutions that cost much more and have a wider impact in terms of setback, market position, and workdays lost. 

Using the Wrong Solution 

The notion of what you don’t know can’t hurt you doesn’t really work in cybersecurity. If you do not understand the risk well, you will not be positioned well for the risk. The result of this is using subpar solutions that can’t fully ensure the organisation’s business longevity. 

CISO Security Posture Keeps Business Strategy Safe 

As a CISO, you help build, maintain, and improve your organisation’s security posture and help your organisation withstand and react well to every risk that threatens its business goals and longevity. 

To maintain your security posture, you must be aware of all the risk factors, but not just that they exist, but how they might affect the organisation, where they might enter, and whether they should be accepted or mitigated. 

Understand & Maintain Security Posture

Explain why/how your solutions work, to a non-techy audience. 

IT Budgeting Practices that Deliver

IT Budgeting Practices that Deliver

IT Budgeting Practices that Deliver

IT budgets often seem to be preallocated and mostly aimed at regular operations only, according to Deloitte’s Global CIO survey. This poses an issue, as such allocation doesn’t leave much room for tech innovation. What little remains of the budget usually goes towards incremental changes. 

Yet, there are positive movements that show IT spending will increase if there are revenue opportunities, security concerns, or good business conditions, as reported TechRepublic’s IT Budget Research Report. Per the report, the top priorities include security, cloud computing, and employee training. 

So how can you get the board to approve the IT budget you need? Start by following these best practices:

1. Keep track of your spending

When you’re making your new annual IT budget, IT spending from previous years will help you determine where you had enough, had too much, and where funds were missing. Armed with data from previous years, you’ll be able to reallocate funds instead of just trying to get a budget increase. 

Showing the board that you are focusing on efficiency and doing what you can with the budget will help you get more of your plans approved. 

2. Show stakeholders that IT is more than utility

It’s not the board or decision-maker’s job to understand everything there is to know about IT and cybersecurity. They may have heard about the latest networking equipment or enquire about the cloud but not know how these technologies benefit the company. 

You need to show innovation and be the first to start the conversation about new technologies to show that IT isn’t just draining money. It’s your job to show IT’s value using your proposal. 

3. Show them risks and threats

Keep up to date on the current threats and risks that the company faces. This might be cybersecurity risks because you’re not using new security solutions, or because your employees lack training in how to identify possible email phishing scams. 

Keeping track of the threats to the business properly with firm reasoning and justification will help decision-makers understand why you need more funds. 

4. Calculate the financial impact of skipping on new technology

Just telling them there’s inherent risk of a security breach is not enough though. The best way to communicate risk is showing them the actual financial impact numbers. 

For example, you can show them how much it will cost to stick to the current technology stack. Then, make a comparison of using new technology – like cloud solutions – and how much less it would cost over time.

This way, even when implementation costs are high, you have the numbers to back up your claim of long-term savings.

5. Use Numbers AND visuals

While spreadsheets are the most common way to keep track of IT budgets, they aren’t the best option when presenting budgets to the board because they are time-consuming and hard to interpret in a meeting. 

Instead, turn the numbers into visuals so they can see at a glance what you’re talking about. It makes you more impactful and they’ll appreciate not having to try and figure it out from a spreadsheet.

Screenshot of the Boardish dashboard visuals

When looking at best IT budgeting practices, it’s important to remember that IT should always align with company goals, and there’s no better way to communicate this than by ensuring your IT budgeting is efficient, saves money in the long run, and easily shows the board where the focus of IT spending should go to.

Improve Business Reactivity

When technology meets ‘bottom line’, There’s Boardish.

Working Out The Cyber and IT Risks & Threats To Your Organisation

Working Out The Cyber and IT Risks & Threats To Your Organisation

What Is Risk?

In business terms, risk means exposure to circumstances that can cause financial costs/loss or reputational loss whilst various threats can cause this risk. In extreme cases, risks, including cyber and IT risks, can threaten the survival of a business. 

Risk isn’t a one-size-fits-all concept, however. The level of risk – and its potential effect – depends on the profile of each business and the industry in which it operates. 

The riskiest industries are those that are vulnerable to sudden shocks and ongoing volatility, such as petroleum processing, fossil fuel extraction, mineral mining, and heavy industry. Conversely, industries with relatively low risk include healthcare provision, waste management, and food processing. Essentially, if there’s heavy, unyielding demand and scope for uninterrupted supply, risk is low. 

The financial industry tends to be risk-averse, but this a broad statement that fails to capture the nuance of individual sectors. Take hedge fund management, for example. Investments are nurtured over the long term, which allows companies to absorb temporary downward movements and deliver growth over the course of an investment. It is, therefore, a relatively low-risk part of the financial industry. On the other hand, sectors that deal in the short-term, and its inherent volatility, face a greater level of risk. Payday lenders, white knight investors, and creditors in unstable economies are particularly vulnerable. 

For cyber and IT professionals, risk tends to centre data as its key variable. How data is managed, processed, threatened, and recovered is the foundation of a risk profile in the IT industry.

Again, data risk is not universal. For example, if a restaurant experiences a data breach, the loss will not be as substantial as it would be for an insurance company, which keeps highly sensitive medical, financial, and personal data. 

That’s not to minimise any form of data risk. There’s no such thing as a risk-free business, and organisations must have policies and personnel in place to ensure that data breaches and other cyber threats are avoided. 

Types of Cyber and IT Threats

More than half of businesses report that they have been a victim of a cyber attack. With just a few examples being: 

Malware

The portmanteau of “malicious software” is an umbrella term referring to any program designed to cause harm to a device, network, or server. Within the spectrum of malware, there are several sub-categories, including viruses, ransomware, spyware, trojans, and adware.

The use of malware is a serious risk for any company. In fact, the average cost of a malware attack is $2.4 million. Depending on the extent of associated customer data breaches, the reputational damage can also be devastating. 

Ransomware

Ransomware is a form of malware in which the attacker aims to extort a payment from the victim. To do this, the attacker accesses and encrypts the victim’s data, then sets a ransom in exchange for the unlock code. In 2019, the average ransom demanded is $36,295. Although there are varying degrees of ransomware sophistication, an attack can be triggered by something as seemingly innocuous as a link in an email. 

When it comes to ransomware, prevention is better than cure. Retrieval of encrypted files is often expensive and sometimes impossible. It also raises questions over whether engaging with the attacker – and indeed giving them money – contributes to a criminal cycle that not only makes the victim a repeated target but also endangers other companies. 

Specialist software, staff training, and ongoing vigilance helps businesses to avoid the damaging effects of ransomware attacks. 

Phishing

Some cyber attackers pretend to be from a trustworthy, reliable source and use that established trust to extract data from their victims. This is the essence of phishing. 

When aiming for businesses, attackers will often pose as representatives from banks and other financial institutions, government departments, suppliers, and even other parts of the company. Anything that stands the test of plausibility. 

Phishing can be difficult to spot, because the most sophisticated attackers research and replicate the “normal” behaviours of trustworthy parties. 

Hacking

When most people think of cyber crime, hacking is the first thing that comes to mind. Any unauthorised accessing of a digital device or network – whether malicious or not – counts as hacking. The stereotypical image of a loner in their bedroom is just one form of hacker; more sophisticated operations have large teams of experts.

Like malware, hacking is an umbrella term for a range of activities intent on compromising business and personal technology.

DoS and DDoS Attack

One of the most prominent categories of hacking covers denial of service (DoS) and distributed denial of service (DDoS) attacks. Both DoS and DDoS involve maliciously disrupting a web server, making it unreachable to users. The difference between them is essentially scale; a DoS attack can be conducted with one computer and connection, while a DDoS involves several devices target a server simultaneously. 

Password Theft

Billions of passwords are stolen every year. Individuals may be targeted for a specific reason, or included within a large-scale data breach. Credentials that are easy to guess or otherwise inadequate can leave accounts susceptible to thieves; in 2018, 81% of business data breaches were caused by weak passwords. 

Best practices such as avoiding common terms and requiring a combination of letters, numbers, and symbols are ineffective if strong passwords aren’t kept securely. A scrap of paper containing account credentials may as well be a neon sign. All staff must, therefore, be trained in keeping their passwords safe from potential theft.

Internal Threat

Although it can result in compromised data, poor management of passwords by employees is a relatively innocent form of internal risk. 

It’s an unfortunate fact that a small percentage of employees may have more sinister intentions. Whether acting unilaterally or on behalf of someone else, staff might be inclined to leak sensitive information. That is not to say that the overwhelming majority will, but in mitigating risk, it is best to plan for the worst-case scenario.

This is why access to sensitive data is limited to essential staff. Open season increases the risk of unauthorised transmission, which can be extremely costly for a business.

Equipment Theft

Laptops and handheld devices are perilously easy to lose, and so too, easy to steal. Most devices are password-protected, but extraction of data is still possible. Accidents do happen, but it goes without saying that all employees with company equipment should store and carry it securely. The same principle applies if they are able to access work-related data – such as emails – on personal devices. This practice should be actively discouraged, and if used in an emergency context, it should not become habitual. 

Assessing the Impact of Cyber and IT Threats & Risk

It’s imperative that IT managers and cyber specialists analyse the possible impact of risk to their organisations. 

IT professionals within a business will be aware of potential threats, but as technology develops so rapidly, the analytic process should be continuous.

Once a threat has been identified, it should be carried through to an impact scenario. IT managers should follow this procedure:

  • What are the immediate threats if an identified risk scenario happens to the company?
  • How would this impact all users within your organisation?
  • How will working capability be limited, and for how long?
  • How many people will be involved?
  • Will the business be disrupted, and for how long?
  • Are there backups in place?
  • What is the solution, and how long does it take to implement?
  • Are specialists trained in responding to this scenario?
  • Is there a risk to your brand and market positioning if this threat were to happen?

This level of enquiry is certainly detailed, but it’s crucial to ensuring proper preparation for any or all threats. If a risk scenario were to happen in real life and you weren’t prepared, it makes recovery far more challenging. Don’t have regrets!

Case Study Examples

Let’s assume you own a restaurant. Your cyber risk profile will be lower than an international bank or insurance company, but threats will still exist. 

These are 3 possible scenarios that could play out:

Example 1: Ransomware Attack

One morning, the restaurant’s manager opens an email from an unknown sender on a company computer and clicks a link. A ransomware attack is initiated, and the criminal demands $1000 to unlock the restaurant’s files.

The restaurant recruits a freelance IT specialist to help. Fortunately, their data is backed up daily on a cloud-based server, so the IT specialist formats the hard drive, reinstalls the operating system, and restores data from the cloud. A small amount of data is lost from the morning of the attack.

The short-term impact of the attack were as follows:

  • The infected computer was out of commission for most of the day.
  • The restaurant paid the IT contractor $500 to fix the problem.
  • There was slight disruption to managing data during the day of the attack, and a small amount of data was lost.

Fortunately, as data was backed up on a cloud-based system, the long-term impact was negligible. Staff were retrained on detecting and avoiding ransomware attacks. 

Example 2: Phishing Attack

One of the restaurant’s employees takes a phone call from a person claiming to work for a bank. The caller informs the employee that there is a problem processing payments, and that the restaurant’s accounts have been frozen. The caller then asks the employee to provide details of their banking login details. 

This doesn’t sound right to the employee, so she approaches her manager. They agree that this could be a phishing attack, so they ask the caller to give them a phone number and they will call back. A phone number is provided.

The manager then calls the bank on their official number and explains what has happened. The bank has no knowledge of the alleged payment issue, and reiterate that they would not speculatively ask for credit card details over the phone.

The restaurant avoids the phishing attack, thanks to correct action from the employee and her manager. If they had provided login information, this could have been used to extort data or money from the restaurant, causing immediate financial damage.

Example 3: Equipment Theft

The restaurant’s owner is travelling by train one afternoon, when she notices that her smartphone is missing. Her phone gives her access to the restaurant’s email and social media accounts, as well as a banking app from which the restaurant’s finances can be managed. 

Her smartphone is passcode-protected and can also be accessed by Face ID. When she notices the phone is missing, she accesses her cloud-based account and disables the phone. She also changes her email, social media, and banking passwords. 

Had the device not been password-protected, a potential attacker could have immediately accessed sensitive data. Similarly, if she had not taken swift action to disable the phone and change login details, a hacker could have maliciously used this information to cause financial and reputational damage to the restaurant. 

Top 5 Tips for Finding Solutions to Cyber Risk & Threats

  1. Thorough preparation. This sentiment is worth repeating: prevention is better than cure. Have rescue plans in place as soon as a risk is encountered, and ensure that all relevant staff are properly trained.
  2. Go cloud-based. As far as possible, use cloud-based systems to manage data. If equipment is compromised, data will be available for backup or immediate quarantine.
  3. Choose cost-effective solutions. It can be tempting to over-prepare for every risk, but an overly expensive IT budget is unlikely to be approved by the board. Strike the right balance between cost and benefit. 
  4. Have the right people on board. No matter the size of a business, you must have access to specialists who can help in an emergency. For large organisations, this will usually be managed in-house. Smaller businesses may opt for a freelancer or train an existing employee. 
  5. Keep up to date. New threats appear on a daily basis. Cyber professionals must keep up with any developments that are pertinent to their business or industry, and implement the right solutions as quickly as possible. 

Presenting Budget Requests to the Board To Mitigate Risks

Solutions to cyber and IT risks tend to be expensive, and to secure the required budget, IT managers must present a cost/benefit analysis to the board.

Problems are often caused by miscommunication. IT budget requests must be made in language the board understands. This usually means expression in financial terms. To do this, the risk must be quantified.

Enter, Boardish. Using this IT tool, CTOs can quickly and comprehensively translate technology risks into a format the board understands. Threats and solutions are quantified, allowing the board to analyse and approve requests without delay. 

To find out more about preparing for your next board meeting, check out this guide from Boardish. 

Quantify cyber and IT risks

Explain why/how your solutions work, to a non-techy audience.