<img src="https://secure.leadforensics.com/71120.png" style="display:none;">

Kalki Blog


CyberSecurity in the Middle Market

Posted by Vikas Bhatia on Oct 17, 2016 8:35:00 AM

This week marks Week 3 in the National Cyber Security Awareness Month (NCSAM).  With the focus on Recognizing and Combating Cybercrime we have decided to focus on the underserved population, the Midmarket.

The US Middle Market, a.k.a. midmarket, in the US accounts for 1/3 of all jobs and 1/3 of private sector GDP and according to the National Center for the Middle Market, "If the U.S. middle market were a country, its GDP would rank it as the third-largest economy in the world". 

Read More

Topics: Risk Management, Cyber security, midmarket

SMB Insurance companies & NAIC's Cyber Security Regulations

Posted by Vikas Bhatia on Aug 26, 2016 4:00:00 PM

Till now our experience with insurance agencies has been fairly reactive and driven by IT.  In the background we've been keeping an eye on the National Association of Insurance Commissioners (the NAIC) regulations and how they would impact Small and Medium Sized Businesses (SMB).  In April the Cybersecurity (EX) Task Force (the Task Force) first presented the Insurance Data Security Model Law (the Model Law) it generated more than 40 comment letters from trade associations, market participants and regulators. insurance industry association .  It appears that the, "something has happened, now can you help us fix, resolve, remediate it" approach to Data / Information or Cyber Security is about to change drastically.

Read More

Topics: Regulations, Risk Management, Cyber Insurance, kalkiconsulting compliance, SMB, CISO, CIO

Vendor Risk Management: What are your vendors costing you?

Posted by Stacy Willis on Mar 24, 2016 7:00:00 AM

Do you know what your vendors are doing with your data? Do you know how they are using their access to your systems? All too often we see companies who hand over access to vendors with little to no background research and then allow them to run around unsupervised in their systems. Recent data breaches have shown us that vendor management is clearly cause for concern. There have been several very high profile (and VERY expensive) data breaches caused by poor vendor risk management practices.

Read More

Topics: Risk Management

Risk Management Framework

Posted by Stacy Willis on Oct 6, 2015 10:20:52 AM

Wondering how to manage risk in your business? Keeping track of your risks helps you keep them in check and keep your business up and running. When you’re constantly reacting to things you don’t expect, it’s hard to feel stable and protected. Proactively managing your risk can take you a long way toward protecting the future of your company.

Read More

Topics: Risk Management

New Infographic! Risk Management Framework

Posted by StacyNease4Fbhds on Jun 30, 2015 10:15:41 AM

Wondering how to manage risk in your business? Keeping track of your risks helps you keep them in check and keep your business up and running. When you're constantly reacting to things you don't expect, it's hard to feel stable and protected. Proactively managing your risk can take you a long way toward protecting the future of your company.

Here at Kalki, we work with clients to help create a customized strategy to their business needs, but we always start from the basics. We use the design in this inforgraphic as our "jumping-off point" for a Risk Management blueprint. Some of the questions you need to answer to make this design unique to your business are:

1. How often should you be adjusting and updating your strategy?

Does your business leadership conduct annual or semi-annual strategy meetings? You should be discussing risk as a part of any good strategy discussion. A good rule of thumb is to address the company's approach to and appetite for risk at least as often you are re-assessing or looking at your business strategy at a whole.

2. How do I determine the IMPACT of risks to my business?

Impact is all about the dollar signs. It should be a realistic estimate of what the financial impact of an event would have on your business. Now remember, impact must be coupled with likelihood to mean very much to you in the evaluation of risk. Let's run through an example. Say the risk we are considering is a breach, let's run through the steps you'd take to estimate the impact of a breach.

Step 1: Determine the potential financial impact of a breach. Start by figuring out the number of records your business holds on its customers that include any PII. The average cost of a breach is $145 per record according to studies by the Ponemon institute. This figure includes fines, costs to provide credit monitoring for victims and costs to investigate the incident. So now take the number of records you hold and multiply by $145 to find out the potential cost of a breach.

Step 2: Determine additional impacts. Might a breach affect your company's reputation? Do you think it would cause customers to leave? The answers to these questions will depend significantly on the type of business you have. Venture a realistic estimate of the percentage of customers you may lose and determine what that means to your bottom line.

Step 3: Determine the likelihood of such an event. We all remember the Y2K craze that resulted in stock-piling and even, in some cases, the creation of bomb-shelters. We don't want to tell you to go crazy worrying about every potential risk in the world; what we do want is for you to include the likelihood of an event into your assessments of risk. Does your company operate 100% offline with no connections to the outside world? Well then a breach may be somewhat less likely for your business than a business that needs to be connected 24/7.

3. How should I track all these risks?

We are giving you a ton of things to think about here; but how should keep track of risks over time, especially if we are telling you to monitor them regularly? Your business should create and maintain a Risk Register that tracks all the risks that have been identified and provides a very easy way to stay on top of the impacts and likelihoods of those risks. And, since you asked so nicely, we have a very easy-to-use and customizable (and not to mention totally free) Risk Register template just for you! Just download and start populating right away.

4. How often should I be monitoring and reviewing risks?

Here's where you decide how often you'll be checking in on all those items in the Risk Register, monitoring your environment and re-assessing risks. This process serves both to help you stay on top of (and adjust strategy as necessary) risks that have already been identified and provide means to identify risks you haven't thought of yet. Here are our recommendations for how often you should monitor and review at minimum.


  • 3rd Party High-level Risk Assessment
  • Security Policy Review


  • Penetration testing
  • Vulnerability and configuration assessments
  • Personnel security awareness testing
  • Security assessments of 3rd parties
  • Full review of Risk Register


  • System checks
  • Review of security logs and events on all systems
  • Add any newly-identified risks to the Risk Register

Read More

Topics: Risk Management