As the first quarter of 2021 comes to a close, cyberattacks are only gaining momentum. As we reported last month, these attacks have become big business for threat actors, and companies are working hard to be prepared. Taking stock of potential risks – and risk management techniques – can be a useful exercise in this environment. For this, tools from change management can help. Change management, particular sustainable change management, teaches us not to jump head-first into action, but first to take stock of what actions will be most helpful.

To mitigate cyber risks, several actions of course are useful, and indeed several are required by data security laws. These include identifying and preparing for known risks, updating policies, implementing operating procedures to execute on those policies, strengthening internal controls and auditing compliance. These steps can help with both preventable risks -i.e., those that are internal and controllable; or are strategic – i.e., risks that one might be willing to accept for some benefit. However, those are only two of three types of risk, according to management theorists Robert Kaplan and Anette Mikes.[i] The situations companies are facing today -with multiple potential cyberattacks arriving at unknown times, in unknown ways, by unknown threat actors- fall into a third category of risk. External risks. Risks outside of a company’s control; risks that are not predictable.

To manage external risks, companies can include more tools in their prevention toolbox, Kaplan and Mikes explain. In preparing for cyberattacks we can think about their suggestions. For them, the focus with external risks should be on identifying them when they happen (often easier said than done) and mitigating the potential negative impact. A written policy may not be able to prepare a company (how can the policy anticipate every potential bad outcome?), but tabletop exercises that focus on teamwork -rather than on preparing for a specific type of incident- could. Other tools include short checklists, along the lines used by pilots (including in disaster situations).[ii]

Some data incidents may arise from risks that fall into multiple categories. Thus having multiple mitigation strategies in place can be important. These steps, like being strategic about privacy compliance generally, can help companies’ overall privacy compliance efforts, as we outlined in our articles on right-sized privacy programs at the beginning of this year.

Putting it Into Practice: Given the external nature of cyber risks facing companies, now is a good time to take stock of mitigation strategies in place. Thinking proactively – even where much may be unknown – can help companies be prepared if the worst happens. Rather than only tabletop exercises that prepare for a specific type of situation, companies may also want to add those that deepen relationships and teamwork.


[i] Kaplan, Robert S. and Mikes, Anette. Managing Risks: A New Framework. Harvard Business Review (June 2012).

[ii] Gawande, Atul. The Checklist Manifesto: How to Get Things Right. (2010).