February 28, 2022 – William Prohn, CISSP, CISA, CGEIT, CRISC, CMMC-AB RP, Dopkins System Consultants Managing Director, recently served as a guest author for Business First of Buffalo.
Is your business concentrating on the right cybersecurity “boom” strategy?
A growing awareness of risk, new cybersecurity regulations, a focus by the media and a general chatter seem to indicate a boom in cybersecurity. One might consider that welcome news after several years of limited attention on the part of many businesses and individuals.
The term “boom” has been used in the military realm to identify an attack event such as an IED (improvised explosive device). Boom denotes the instant of the attack, which is preceded by events in a timeline leading up to the attack called “left of boom,” and the events in the timeline that follows called “right of boom.” This terminology has been adopted by many in the cybersecurity field to describe a cyber incident, together with the events that precede and follow it.
Almost all of the publicity, activity and crisis management that swirls around cybersecurity today has to do with what goes on “right of boom.” Business is disrupted, systems are down and may need to be replaced, customers, employees and vendors have had their personal data compromised, insurance claims are litigated, credit monitoring services are offered and corporate reputations are damaged.
This is what keeps business owners up at night while the media focuses their attention on the price tag behind the latest cyberattack. It’s the right of boom timeline that has awakened our economy and culture to the cybersecurity threat.
However, the best use of resources is, without question, to focus on the timeline left of boom, in the planning of activities, identification of assets and threats, implementation of processes and controls to protect systems and data, and detecting anomalies in business activities and transactions which may be a precursor to a major incident.
A common question is “what do I need to do to be secure?” There are at least as many ways to protect systems and prevent an incident as there are ways to attack businesses and breach data. There are a lot more things, usually more cost effective than a data incident, that can and should be done left of boom than there are activities that need to be done right of boom.
As a result, cyber liability insurance today, if available at all, is laser-focused on a business’s activities left of boom. Multi-page questionnaires asking about policies, multi-factor authentication, types of data stored, oversight of third-party vendors, encryption, backups, and countless other security controls are now a prerequisite to even being considered for coverage.
Whether in the market for cyber insurance or not, the most inexpensive and effective way to address the cybersecurity threat in today’s world is to expend effort left of boom. Begin with an IT/cybersecurity risk assessment. This will identify the unique threats faced by your organization, and prioritize the likelihood and impact of the risks you face. Then, implement effective controls to mitigate your prioritized risks. Finally, implement planning, follow-up and oversight processes to ensure that your actions are consistent and maintained over time. All this takes place left of boom.
This may seem like a lot, but it’s nothing compared to a boom and its aftermath impacting your company.
For more information, contact William Prohn at firstname.lastname@example.org.
To read the article on the Business First of Buffalo website, click here.
Dopkins & Company, LLP’s System Consulting practice is dedicated to helping clients develop Information security controls to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. For a strategy on getting started with a cybersecurity program, visit www.dopkins.com/startegy.
Dopkins & Company, LLP also offers comprehensive accounting, auditing and tax services, forensic accounting, as well as information technology, wealth management consulting, internal audit support, and collateral examinations to privately held and public companies, not-for-profit organizations and individuals.
William M. Prohn has over 30 years of experience working with businesses from a diverse list of industries, including manufacturing, distribution, restaurant and hotel management, not-for-profit, as well as clinics and medical practices. He creates meaningful, practical management information using computer technologies, and the security of business information and systems.
About the Author
William Prohn CISSP, CISA, CGEIT, CRISC, CMMC-AB RP
Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.