Change also can introduce significa

Change also can introduce significant risk to you and your organization. In fact,
periods of change are where most risk is introduced. Changes in personnel, process, and
products represent great risk to you and your business. You need to be keenly aware of
change and be prepared to manage it as part of your risk management process.
Your risk environment is complicated. You and your organization face an everevolving
threat landscape replete with increasingly sophisticated cyber threats and
malicious bad actors. Attacks can range from cyber “weapons of mass disruption” such
as distributed denial of service (DDoS) attacks and zombie infestations up to and including
finely tuned, exquisitely researched, and implemented focused attacks specifically
targeted against you and your information. There are many capable bad guys out there
who can ruin your day (and your business) just by hacking into your computer systems
and gaining access to your information.
But what if somehow these bad actors were aided inadvertently by someone in your
organization? What if your own organizational processes were a mechanism that enabled
a bad actor to gain access to your vital information? Sadly, this happens all too often. The
Gartner Group estimates 65% of all cyber attacks exploit misconfigured systems.2
We
actually think that figure is too low. We submit that the likelihood that someone specifically
targets you or your business is fairly low, yet with hackers and the curious using
tools like Nmap and Nessus to scan the Internet continuously for vulnerabilities and
Metasploit to exploit discovered vulnerabilities, if you have a misconfigured system,
chances are very good that someone will find it and potentially exploit it.
Cyber attacks can wreak havoc on your business and drive huge losses, cause
potential litigation, and lead to loss of precious momentum. So can system downtime
caused by your own people. Gartner research estimates that the average cost of downtime
for a small- or midsized business is approximately US $42,000 an hour, but for
larger companies or e-commerce models, this number can easily reach six figures.3
Most businesses, including yours, cannot afford to absorb the damage that downtime
produces.
Regrettably, most downtime is found to be a self-inflicted wound. According to the
Yankee Group, an IT research organization, over 62% of all network downtime is caused
by configuration errors.4
Downtime is a denial-of-service attack against you and your
business that costs you precious time and money. For your IT staff, it is a catastrophe
and professional embarrassment. It also is a time when even more configuration errors
that can expose you and your business to additional risks inadvertently may be introduced
as the staff scrambles to restore service as fast as possible. We advise that the best thing
executives can do during periods of downtime is to remain calm, ensure the IT staff has
the right resources (i.e., time, people, and tools) to properly restore services, and, after
restoration, order a thorough vulnerability scan to ensure that the “fix action” did not
introduce a new vulnerability.