Which is a bigger risk? Ransomware or lack of IT & Cyber Human Resources (and how to quantify to BOD)

Which is a bigger risk? Ransomware or lack of IT & Cyber Human Resources (and how to quantify to BOD)

This article was written by our Founder and originally published on Linkedin here

too many projects not enough people image

During my consulting sessions on cyber security, I see a recurring theme. There’s usually a skilled team with great ideas and capabilities.

But not enough human resources to execute it.

A CTO or CIO will usually have most of their team already engaged in dozens of IT and Cyber projects. Even the most basic exercises like vulnerability assessments can get delayed just because there are not sufficient team members (or financial resources to use suppliers.)

You may think that if the company has the resources to appoint a CISO, that the CISO will then have sufficient resources, and enough people… think again 🙂

In many cases, the CISO’s team is already caught in several projects as well and entire security teams are not able to perform their required roles.

In this phase, I usually recommend “requesting decision-makers” for more resources, more people or more money so you can use an external company.

Also in this phase, I see how hard it is for the Manager to ask for more resources even if they understand that not asking for more resources will put the company at risk.

I use the BOARDISH methodology to show a clear financial impact of a “lack of resources”,

*See an example of quantifying this via the BOARDISH web app (boardish.io)

Background:

  • The Core issue of the test company is that they have an End of Life server in production, which both contains PII information and also several systems that use old SMB protocols.
  • The CTO, Cyber Team and Compliance all know the risk this server is imposing on the company.
  • It just a matter of time until the SMB protocol will cause Ransomware AND / OR Data Leakage of PII information.
  • Company information – I am using a test company with the following information:

Threats:

This is where we put “Insufficient IT & Cyber Resources” as the main Threat,

And we use info that we know from Ransomware and Data Leakage for this specific company as our “Turnover Days Loss” and “Work Day Loss”

Why ? – because “Insufficient IT & Cyber Resources” will not allow you to even “get to” addressing the actual Ransomware & Data Leakage issues – it will delay and delay them.

Solutions:

In Solutions, we will put 2 options, inputting the yearly cost.

  1. Recruiting a staff member
  2. Using an external company

Threat Protection Factor ( TPF ) :

In this scenario – our solution will “most likely” solve the entire threat, this is why we will input 90%

Experts Costs:

Recruiting in-house VS Outsourced will usually require more resources for ongoing management. So we must account for this time (and hourly costs of this time) in the yearly expert costs.

Regulation impact:

Regulation has a HUGE impact on our scenario, the lack of resources will most likely to a Data Leakage of PII.

And we have a CLEAR FINANCIAL IMPACT NUMBER to show our Decision Makers / Board:

  1. What is the COST of the”Insufficient IT & Cyber Resources” Threat
  2. What are the components of this Threat (Market Loss, Regulation, Salary Loss and Sales Loss)
  3. What is the COST of EACH OF THE OPTIONS of Resolving this Threat
  4. What is the leftover exposure in each environment to consider when looking at further mitigation.

The Boardish Methodology is combining a Risk Assessment exercise with Financial quantification, now your Decision Maker / Board needs to make a very clear decision:

Provide the resources for solving the Threat or accept the Cost of the risk.

Eli Migdal

Quantify your biggest risks

And explain to decision-makers which ones to focus on first…

Quantifying The Financial Impact of Mass Absence From Your Business

Quantifying The Financial Impact of Mass Absence From Your Business

This article was written by our founder Eli Migdal, posted on Linkedin here

woman working from home

In the Boardish community, we have noticed a big spike of companies who are adding the threat of “Immobility” (not being able to work remotely).

I want to help and to show you a basic guide on how to use the Boardish platform* to understand the costs of immobility, for example with situations like the Coronavirus where many people have to self-isolate but are still able to work. So you can get quick approvals on solutions to solve this from decision-makers.

*You can do this with the free version of Boardish also.

Step 1 – Company information:

Fill your company information, all threat impact and solution mitigation are calculated based on the size, type and financial posture of the organization.

INPUTTING company info in boardish

Step 2 – Threats:

Add a custom threat (Go to > Add Threat Type), you can call it “Immobility” or we’ve also seen variations of “Not being able to work remotely” and “no remote working option“.

Then we look at the critical operational information like how much the threat impacts the day-to-day. It’s different for each company, so we recommend involving your Operations, Sales, and Marketing teams.

In our example company below we have:

  1. Set the Chance of Losing Marketing position to Medium
  2. Included 25 Turnover Days Loss (days you are not selling because of a mass absence of staff and your company doesn’t have remote working capabilities in this case)
  3. 50% of Sales Loss in these days (because not all functions are impacted, some are automated etc.)
  4. 14 Workdays Loss is predicted for High, Medium and Low impact users. (for example, a self-quarantine period of two weeks.)
input threat info in boardish

Step 3 – Solutions:

We will add 3 possible solutions that help us with the threat of “not being able to work remotely

  1. Video conferencing tools – Note that many companies are now offering a free option as well (due to the Coronavirus outbreak). So for this example, I made the cost of video conferencing free.
  2. Advanced identity management tools – Tools that help you to protect remote identity, by adding “Device Identity”, MFA, Geographical restrictions and other abilities thathelp you to work remotely and securelyThis is also very important for BYOD capabilities which are a big part of working remotely. For this example, I made the cost $7 per user.
  3. Cloud security solutions – When working remotely, tools like Dropbox, OneDrive, Box, Google Drive etc. will be used more. So we will need tools to secure them in the business. Particularly to make sure we can differentiate between sensitive and non-sensitive types of files being worked and shared remotely. So in this example, I made the cost $6 per user.

For the purpose of this example, I’m staying vendor-neutral but I will be using the solution type field.

solution input on boardish

Step 4 – Threat Protection Factor (the efficiency of solutions against threats)

In this section, we are setting the effectiveness of the 3 solutions against the same threat. The TPF section is where you can use your experience and knowledge of solution efficiency to have manual control.

Based on my experience, I have used the following info:

  1. Immobility and Video Conferencing – 80% on Prem, 0% Cloud
  2. Immobility and Advanced Identity Management – 0% on Prem , 75% Cloud
  3. Immobility and Cloud Security – 0% on Prem , 70% Cloud
TPF in Boardish

Step 5 – Expert costs

This is section is very important when showing solutions to your decision-makers. Video conferencing solutions may be free to use but they will require resources from IT to train and support, these resource requirements and costs need to be quantified.

I have used the following info:

  1. Video Conferencing – Will require 100 hours yearly of 1st Level IT – mainly for support setups or connection issues.
  2. Advanced Identity Management – Will require 50 hours of your Cyber Staff to configure and 100 hours of your 2nd level IT to support
  3. Cloud Security will require the same as Advanced Identity Management ( for this example)

*Again you can use the figures for ongoing support if you know them for a solution you’ve used previously or are benchmarking.

Expert costs input in boardish

Step 6 – Regulation

In this step, we will set the GDPR impact for this threat. Immobility doesn’t have a direct GDPR impact unless there is a security issue that is not taken into consideration, and this is likely to be caused by something specific other than lack of mobility.

So, in this case I have configured GDPR regulation impact as none.

Dashboard:

Once completing the dashboard, you will get clear figures on the following:

  1. Cost of the Threat – $39.92M
  2. Cost of Solutions: $64K in total

This is “decision making” knowledge provided to your stakeholders. If your’s company information is as clear as in this example – you will get your budget request approved for solutions that combat an immobility threat. Particularly in cases of mass absence.

To quantify immobility in your organisation, you can run the same simulation using your information in Boardish.

Learn more here: https://boardish.io/

Sign up here: https://app.boardish.io/

 

Quantify quickly to decision-makers

Explain why/how your suggested solutions work, to a non-techy audience.