Hello, everyone. Welcome to the next in the HS Talk series on cybersecurity.
My name is Don Johnston.
I'm a lawyer in Toronto,
with the firm of Aird and Berlis,
and I'm going to be speaking to you about residual risk in cybersecurity.
What is residual risk?
Well, risk generally as we know is a fact of
life and we all have to accept it in business.
We really can't make money without assuming some risks.
What residual risk is in a general sense is
the risk that remains after you've taken steps to reduce,
manage, or control your risk.
You might, while traveling,
reduce the risk of losing your personal belongings by simply not bringing them with you,
but that doesn't mean that they're safe.
Someone could break into your house at home and of
course where else would your house be and take your stuff.
You haven't eliminated your risk,
you simply reduced it in some way or another.
In information technology, residual risk is the remaining risk
after you've done your best to protect your system and your data from attacks,
leaks, and losses of all kinds.
You know that there is remaining risk.
Indeed, when I draft agreements pertaining to information technology services,
I'm always very careful to make sure that there is
no guarantee in there that everything will be completely safe.
It's just not possible.
Why is there residual risks in information technology systems?
Well, we know that these systems are very enticing to dishonest people.
The Internet is connected worldwide,
valuable data is available literally everywhere,
the risk of detection or punishment is low and frankly it's bloodless.
If you're going to be a crook,
you don't need a gun,
all you need is a computer and you can hide
somewhere and literally steal stuff from people.
Information, money, opportunities, business,
secrets, you name it.
As a result of that, cybercrime now costs
society worldwide more than automobile accidents.
That's an astounding fact.