Risk. It’s everywhere. From the second you wake up until the second you go to bed a risk scenario can present itself. Stepping on my dog’s bone on the floor beside my bed is a risk I face every morning.
So what is risk? Risk is essentially the probability that harm or damage can occur from a given situation. In my example with the dog bone: Because I have a dog who likes to chew bones, there’s a risk I step on a bone from time to time.
In our last blog, we explored the observed cyber threats that continue to explode in numbers with each year. Each one of these threat presents a potential risk to an organization these days. If you look at all of those threats, it may be hard to find one that isn’t applicable to your organization.
But what are the risks if these threats were to ever materialize? Does your organization really know how to answer that?
An organization that understands its cyber risks is better prepared to make informed cyber security decisions. Making informed decisions based on cyber risk allows organizations to protect their organizational assets appropriately, while not minimizing productivity. There are tons of risk assessment methodologies out there for organizations to follow, many of which have similarities.
However, let’s not put the cart too far ahead of the horse. Where can an organization start when it comes to understanding cyber risks after deciding on a risk methodology? Well it all starts with your appetite.
The Appetite
No, I’m not talking about food. I am talking about risk appetite! In simple terms, risk appetite is the amount of risk an organization is willing to deal with in pursuit of their objectives. No organization can truly understand risk without first determining their risk appetite.
Risk appetite varies by organization and depends on a number of factors. Company culture, industry, regulatory requirements, and business objectives all play a factor in an organization’s risk appetite. For example, a large hospital may be less willing to take accept a certain level of risk than a medium sized software company due to HIPAA requirements.
An organization’s risk appetite is a driving force behind decision making which remediate discovered risks that as part of a full risk assessment. Risks that are present, exceeding the determined risk appetite should be prioritized when remediating identified risks. But what could these identified risks harm? That leads us to…
What to Protect?
Okay so you have a risk appetite, now what? Next, and one of the next most important steps an organization can take when it comes to cyber risks, is identifying the organizational assets needing protection. After all, how can you plan protections if you don’t even know what you have to protect?
Essentially an asset is anything that has value to an organization. Now, assets do not have to be physical assets. They are both tangible and intangible. Computers, network devices, mobile devices, etc. are all examples of tangible assets. Information, processes, and data are all examples of intangible assets.
Assets in both of these classes needed to be identified to best understand risk. This also helps organizations develop an “asset inventory” if one does not already exist. A critical piece of this step is identifying the criticality of these assets too! When determining the assets value or criticality, one must consider factors like the assets role in business operations, type of data, cost to replace, amongst a variety of other things.
An organization cannot protect what they don’t know is out there. Gathering this information is critical to an organization and to the risk assessment process. Once all assets are inventoried, the next thing an organization can do to understand their cyber risk is ask…
What Potential Threats Exist?
Well, to answer this question, a lot of threats exist. Some threats may be common across industries, while some threats may be more specific to an industry. When trying to understand which cyber risks are present at your organization you need to list out all potential threats.
Using a laptop, as an easy example, one potential threat would be malware. If we are talking physical documents, a potential threat to those could be theft.
To fully understand your cyber risks it is important to list out all potential threats, even if the likelihood of a threat causing harm is very low. That will help paint a full and clear picture it is important to list out all potential threats to the specific assets.
In Control of Cyber Risks?
The next thing you have to ask is what controls are in place to protect against these threats? A security control is a countermeasure or safeguard put in place to protect the confidentiality, integrity, and availability of an organization’s information assets.
In short, security controls are there to keep your assets safe. Using the laptop (asset) and malware (threat) example, an anti-virus solution is considered a security control in this situation.
Furthermore, a security control against the threat of physical file theft would be to store the files in a locked cabinet or room.
I think you probably get the picture by now. By listing out all of the applicable controls, this help an organization better understand the preventative actions they are taking to limit the impact of cyber risks materializing against their assets against each threat.
The unfortunate fact however is that…
We’re All a Little Vulnerable
As much as we may hate to admit it, vulnerabilities exist in each of our organizations. Vulnerabilities are weaknesses that a threat can exploit, causing harm to a particular asset or group of assets.
For example, a laptop or server could be missing security patches. These missing security patches leave the assets exposed to potential exploit therefore creating a vulnerability.
One thing that often can get over looked is that a security control itself can create a vulnerability. But wait, aren’t controls supposed to be there for protection?
Yes, security controls are there to protect an asset when configured correctly. Misconfigured controls themselves, however, introduce potential vulnerabilities to an asset.
Going back to my laptop and malware example, the control we had stated was an anti-virus solution being installed. That’s great, but what if the virus definitions are two months out of date because the solution is misconfigured? This is a classic example of a control introducing a vulnerability.
Another thing to keep in mind is that vulnerabilities do not only exist in technologies. They can exist in the people, processes, environments, and so on. Are you locking up at the end of the day? Or is it easy to gain physical access to your facilities? Do your employees know how to defend against social engineering attacks?
All of this needs considering to create a wholistic view of vulnerabilities.
The Consequences of Cyber Risk
Unfortunately in cybersecurity, when cyber risks materialize there are going to be consequences. For the most part these consequences are usually negative.
Depending on the criticality and type of the asset that was exploited the consequences may be more severe for one risk event materializing than another.
Some potential consequences of a cyber risk materializing include: productivity loss, financial impact, costs of replacement technologies or consulting fees to remediate the event, damage to reputation, and regulatory fines. The list of consequences can go on and on depending on the asset type and risk event.
Sometimes, an organization experiencing “consequences” of unaddressed cyber risks is what it takes to finally take their cyber risks seriously. It doesn’t always have to be that way though.
The All Powerful Cyber Risk Assessment
The risk assessment: a powerful and wonderful tool, and an organization’s best friend in cyber security. In a risk assessment there are three steps: risk identification, risk analysis, and risk evaluation. Essentially what we talked about in the above sections are all part of the risk assessment process.
There are many different frameworks that organizations can use. From ISO 27005 to NIST SP 800-53, organizations can pick one that best fits their needs. These frameworks (not just the two above) guide organizations through the risk assessment process. They also help guide organizations to make it a repeatable process.
Risk assessments are never a one and done thing. Risk management is an ongoing practice. That is especially true when talking about the every changing cyber landscape. Conducting such assessments helps an organization identify where their largest cyber risks lie and make better informed decisions to address them.
There is a reason why many organizations continue to move towards a risk based approach. You may be asking yourself “where would I even begin?”
Why don’t you start with seeing how our organization can help you better understand and approach this process.