As we start to adapt to our new quarantined life, one of the things that has struck me is how different people have benchmarked what they constitute to be effective social distancing and therefore the risk they are willing to accept. At Ostendio, we manage risk every day and there are similarities between the strategies for managing organizational risk and managing your own personal risk of exposure to the coronavirus. While we can’t eliminate risk completely in either scenario there are steps we can take to minimize risk in both.
First we have to realize there is inherent risk in everything we do. Following a recent trip to a metro-based grocery store I was struck by how close people were to each other compared to my typical suburban shopping experience. As I navigated the tighter aisles, trying to avoid other shoppers like they were ghosts in a game of Pac-man, I could tell people were looking at me like I was some type of paranoid conspiracy theorist. Obviously the urban shoppers at the metro store were more relaxed in their risk assessment of other shoppers, while the people at my regular suburban store clearly have a more conservative interpretation of what constitutes social distancing.
On the other extreme, I was scolded by a family member because I chose to walk my dog with a neighbor. My niece believed that I was not being careful enough because that neighbor was not part of my designated quarantine group. It is surreal to walk through our quiet suburban neighborhood making polite conversation with our neighbours from a safe six foot distance as we all find ourselves slightly bemused at how our lives have changed in such a short period of time.
Yet for many others working in essential services their day to day activities may not have changed quite as much but the environment within which they are working has changed dramatically. We all appreciate the higher risks essential workers are taking on our behalf, which are significantly greater than our own. However, we need to appreciate that even when we spend 99% of our time in the safe confines of our own homes we are also not living risk free. As unlikely as it may be, a package that is delivered could carry the virus or as we pass by or get too close to a neighbour they could spread the virus or, more likely, during a trip to the grocery store we could come into contact with the virus. These are all remote possibilities but each one does increase our risk, albeit to a minimal degree. However, if you take these risks frequently that can significantly change your risk profile.
The objective of Risk Management, when applied to Data Security, is not necessarily to eliminate risk, but rather to reduce it to an acceptable level. By creating and maintaining data, some level of risk is inherent but many factors go into determining what is acceptable including:
What is the overall impactof data being breached in your organization? If the impact is low then the risk is likely to be low.
What is the likelihoodof the data being breached? If the likelihood is low then the overall risk is reduced.
What valueor benefit is gained by securing the data? It does not make sense to invest time and effort mitigating risk in order to maintain data with little or no value.
In business we apply risk mitigation strategies to help reduce our risk profile. We encrypt data; we reduce the number of people who have access to sensitive data to only those who need it; and we train users on effective data handling. The same elements can be used as a framework to help determine the extent of our social distancing practices. We need to consider these 4 factors:
Impact - We already have a better understanding of the impact contracting corona virus may have. Factors that come into play here might be age, occupation, others dependence on us, proximity to those in higher risk groups. Each of those criteria may have an impact on us directly or those around us.
Likelihood - Clearly what we do and how often we do it will have a big impact on the likelihood of contagion. A solo walk in the neighbourhood would be low risk, as might be interacting with people in our own quarantine group. But the likelihood increases as we come into contact with others either socially, at work or while running errands like buying groceries. The reality is we may do many of these things over time and so the probability builds the more of these activities we undertake and the higher likelihood each activity may have.
Benefit - As with business, we cannot simply shut ourselves away from everyone and everything but we can reduce interactions to high value or essential activities. So while going to your friend’s house for drinks might seem like a good idea, is it essential? If you have mental health issues such as depression, maybe. But while going to work if you are an essential service worker or caring for an elderly relative may be higher risk activities, the benefits are also high.
Mitigation - Of course once we understand the risk, and to some degree accept it, that does not mean we cannot take action to help mitigate it. Doing your grocery shopping when it is quieter, reducing the frequency of trips, maintaining appropriate separation during all interactions and wearing a face mask are all risk mitigation strategies that can help reduce risk.
Our overall risk score with data security, or contracting the coronavirus, will never be zero but there are many steps you can take to minimize whichever risk you are facing. With coronavirus, by limiting activities to those that are essential or have a high benefit you can significantly minimize overall risk. With Data Security the same is true. Managing corporate risk has to be balanced with the benefit to the company. As long as you are exercising good risk management you are doing the best you can. So #StayHome and get information from scientists and experts like the CDC.
Ostendio has over seven years experience working with companies to help them understand and manage risk. Our MyVCM platform can help your company build, operate and showcase your security program. Speak to one of our experts today and ask for a free demo so we can show you how a robust security plan could benefit your business.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Schedule a demo
We can schedule a quick overview where we talk through your security and compliance needs and showcase key capabilities of the MyVCM Platform.