Cyber Risk Assessment
Organisations are now, or I at least hope they are, waking up to the realisation that cyber threats (IT Risks) pose a very real and significant, risk to their operations. These risks must be factored into any risk mitigation strategy.
This means that, in addition to taking steps to minimise the risk of a cyber attack succeeding, effort must be devoted to assessing the level, and the nature of risk to the business resulting from cyberthreat, to enable decision makers to understand Information Technology risks and develop appropriate responses to those risks. This assessment needs to cover every aspect of cyber risk and especially the risk to the business itself. It needs to cover, hardware, software, people, services, supply chain processes and assets, and everything should be fully documented.
There’s an essential prerequisite to a cyber risk audit, and that’s an audit. You need to identify all the data your company holds and determine its value, where it holds it, who access it, who uses it, why its needed, for how long and how to properly dispose or archive it in a safe & secure means.
Your cyber risk assessment should start with a plan that identifies what you will be analysing, who’ll be consulted during the analysis, and if there any regulatory or budgetary preferences that need to be taken into account.
Steps to cyber risk assessment
Once that’s completed here are the steps needed to undertake a cyber risk audit.
1. Identify threat sources and events
2. Identify vulnerabilities and how they may be exploited
3. Estimate the likelihood of these threats occurring
4. Evaluate the potential impact on your business if they do occur
5. Determine the degree of risk involved
6. Rank the risks in order of priority
7. Prioritise actions and responses to critical risks
That’s a very broad outline. The specifics will vary depending on your objectives and your organisation. It might be wise to bring on board a team of specialists to independently conduct your assessment: a fresh outsider’s view can often see things that people close to the action overlook.
The end result of the process is a cybersecurity risk score. It provides a snapshot of the overall cybersecurity risk your organisation is exposed to.
A cybersecurity risk score is needed not only by a company to assess its risk. It’s a way to confirm that an organisation meets the compliance requirements of government contracts, and it provides valuable information to companies looking to raise equity funding or gain insurance. If a company is looking to find a buyer, or it becomes an acquisition target, a good cyber risk assessment could boost its value.
Regardless of any need to satisfy a third party like a potential customer or investor, every organisation should aim to get its cybersecurity risk score to be as low as possible to minimise its risk of being hit by a damaging, and potentially fatal, cyberattack. A huge part of this is paying attention to, and rigorously enforcing, some basic security measures.
Implement tools to keep external threats at bay
Protecting the perimeter is a basic first step in any security regime. This is even more important today, because the huge uplift in remote working has greatly enlarged and weakened that perimeter. Every remote worker should be required to use a VPN for access to the corporate network, and to install and activate reputable firewalls, anti-virus and anti-malware
tools. These measures will do much to reduce the risk of a cyber-attack breaching that perimeter.
However perimeter protection is no longer sufficient, just the first of multiple layers. Today zero trust and multifactor authentication are becoming increasingly common practices. They start by assuming that the network is not secure.
With zero trust every accessing device must be authorised for whatever resource it is trying to access and every access attempt is subject to strong authentication to confirm that the user and/or access device have been given permission to access the resources sought.
We’re all familiar with multifactor authentication, it uses a password and second means of verifying that the person seeking access is who they claim to be, often a numeric code sent via SMS that must be entered to gain access.
Update and patch software promptly and universally
One of the world’s worst cyberattacks, the WannaCry ransomware of 2017, infected over 300,000 computers worldwide and caused up to $US4 billion in losses. It exploited a vulnerability in Microsoft Windows software that the company had identified and issued a patch for. Those organisations infected by WannaCry program had not installed the patch because doing so would have disrupted their 24/7 operation, could have prevent applications from functioning, or simply because it would have caused inconvenience. In the case of software patching sometimes cost and business implications can get in the way, with disastrous results. The golden rule needs to be that if a piece of software or hardware is so old as to be no longer supported, it should be decommissioned immediately and the business should factor that into its budget.
Perform cyber audits regularly
Misconfigured software and inappropriate access permissions tend to proliferate over time. They should be reviewed regularly and updated appropriately.
None of these activities, designed to boost cybersecurity, can be taken by cybersecurity staff in
isolation, they impact the entire business. Assessing the value of data means consulting business units that own and use the protected resources. Implementing things like zero trust and multifactor authentication affect everyone. Patching software might disrupt somebody’s business activities.
So those in charge of IT, “Chief Information Security Officers, CISO ” must communicate to their fellow directors, executives, or senior management team, staff and others to fulfil their role of assessing and minimising cyber risk and keeping the business safe. This is often one of the biggest challenges they face.
Get leadership buy in
However, board members’ and executives’ involvement in cybersecurity goals is crucial. Risk management and security affects all aspects of the company and a breach can have serious consequences for business operations and the bottom line. CISOs need a direct voice on the board to drive action and investment. This means at least giving the CISO a seat at the table in the organisation’s risk sub-committee. It will enable the board to get a better handle on the challenges and issues that directly affect their security risks and gain more visibility into actions and investments needed to mitigate cyber risks.
Cybersecurity can be a difficult and complex topic to grasp, so frame your activities, and particularly your achievements in terms of how they impact your organisation’s business and risk mitigation strategies. Here are some things you can do as a CISO to get your message across and get buy-in from the management team and the board.
Benchmark your cyber risk rating
Boards regularly review the markets in which they operate and assess their position relative to the competition. If you can compare your cybersecurity posture against other, preferably similar, businesses you’ll get their attention. There are security ratings platforms like BitSight or SecurityScorecard that you can use that collect publicly available information. Their data can help the board visualise their cybersecurity standing relative to the current state of the market.
Some of these dashboards can be quite detailed, enabling you to demonstrate your team’s success and bolster the board’s confidence in your abilities as head of IT.
Even if you’re not comparing your organisation to another, just a historical record of your Key Performance Indicators, KPI’s year-on-year can provide valuable insight to the board, especially when planning (and budgeting) for future projects.
Every business a data business
But there is only so much CISOs can achieve with this ‘bottom up’ approach. Culture comes from the top. Directors and senior executives shape culture through the policies and practices they follow and by setting the right example through their own behaviour.
This is more important than ever. All modern enterprises are data-driven and data dependent. Any significant disruption or damage to their data systems and resources is certain to have a significant business impact.
Business leaders must understand the value of a low cyber risk rating and support the initiatives necessary to achieve this. It’s essential for a company’s ability to win contracts, build reliable partnerships, secure financing and get the best insurance rates, and to make sure it stays in business.