Managing Cyber Risks
Adam Gleeson, Cyber Security Vendor Alliance Manager at CyberLab, explains what risk management is and why it is important for businesses that are looking to increase their cyber security.
- What is cyber risk management?
- Five steps of Cyber Risk Management
What is Cyber risk management?
Cyber risk management has, for the most part, always been an element of any businesses risk strategy or management plan. Historically this was a case of making sure we were safe from Denial-of-Service attacks or disruptive/malicious software threats.
Today however the risks that businesses face in the digital workspace are both legion in number and variety; and the intent behind them is different. The impact they have on our business has similarly changed, it is no longer about causing a nuisance and/or disrupting the operation of a business and the services it offers.
Cyber risk management is now about taking a much more focussed approach on the risks posed by todays (and tomorrows) cyber threats; this means understanding and prioritising the types of cyber threat that are most relevant to your business, determining the magnitude of the impact they could have on your ability to work and trade normally, and developing/implementing solutions and countermeasures to mitigate those risks.
Five Steps of Cyber Risk Management
This involves assessing your systems, processes, and data to identify potential vulnerabilities and threats.
The first step to identifying risks to your business is to understand the mission-critical areas of your digital environment. Key questions to identify these are:
- Which servers and/or services are critical to your ability to support business as usual operation?
- What would be the impact on your business if these critical elements were unavailable?
Assessing the likelihood and impact
Once potential risks have been identified, the next step is evaluating the likelihood of each risk occurring and what potential impact on the organisation if it does occur.
The financial risks to a business today are without doubt the elephant in the room, they are often intangible and very difficult to measure, it’s easy to dismiss expensive cyber security solutions and “run the risk” of a significant cyber incident not happening – every day organisations discover that hard way that the financial risks they thought were acceptable turn out to be orders of magnitude higher than they anticipated.
Of course, not every cyber security ‘incident’ is apocalyptic in nature but there are some that are, and their ramifications need to be understood to the greatest extent possible.
Based on the likelihood and impact of each risk, the organization should prioritize the risks that need to be addressed first. Don’t waste time on risks that are not credible at the expense of those that are. A key consideration for prioritising risk is asking how long could you sustain operations if one or more of these systems were lost?
Using a risk assessment framework is one of the best ways to prioritise the risks that have been identified. There are numerous frameworks freely available that assess risks using different approaches, its often a good idea to assess the same risks in different ways and compare the results to help you understand the severity of the risk to you; risks identified as concerns by both are a safe starting point as to where your priorities lie.
Businesses should implement proper controls to mitigate or eliminate the risks identified. These controls can include technical solutions such as firewalls and antivirus software, as well as policies and procedures to improve security awareness and incident response.
Consider how changing the way you operate might affect the risks you have identified, can small process changes or introducing security features of your existing solutions – such as encryption of data at rest – mitigate or eliminate the risks you have identified for little or no cost?
Monitoring and reviewing
For most effective risk management, businesses need to be continuously monitoring their systems and processes. This is key to ensuring that the cyber security controls that have been implemented are effective and that new risks are identified and dealt with.
Many of us are only conducting perfunctory cyber risk assessments and we would greatly benefit from adjusting our approach, Gartner’s studies have led them to the same conclusion:
“…by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.”
If you haven’t done so already, our Posture Assessment tool is a quick-and-easy way to identify your strengths and weaknesses, and get a better picture of your overall security posture.
We have put together a page of recommendations for improving your Risk Management, and which tools can help, which you can read here.
Featured in this Episode
Chief Executive Officer, CyberLab
With over 20 years in the IT industry, Gavin has a track record of driving successful business transformation through technology. An avid yachtsman, he’s a massive advocate for remote working and anywhere operations.
Cyber Security Vendor Alliance Manager, CyberLab
Adam has a passion for IT and cyber security. With over 15 years of experience in the industry, Adam’s resume boasts a wealth of knowledge around keeping businesses cyber secure.
Detect. Protect. Support.
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.