Managing Cyber Risks

What is Cyber risk management? 

Cyber risk management has, for the most part, always been an element of any businesses risk strategy or management plan. Historically this was a case of making sure we were safe from Denial-of-Service attacks or disruptive/malicious software threats.

Today however the risks that businesses face in the digital workspace are both legion in number and variety; and the intent behind them is different. The impact they have on our business has similarly changed, it is no longer about causing a nuisance and/or disrupting the operation of a business and the services it offers.  

Cyber risk management is now about taking a much more focussed approach on the risks posed by todays (and tomorrows) cyber threats; this means understanding and prioritising the types of cyber threat that are most relevant to your business, determining the magnitude of the impact they could have on your ability to work and trade normally, and developing/implementing solutions and countermeasures to mitigate those risks.

 

Five Steps of Cyber Risk Management 

Identifying risks 

This involves assessing your systems, processes, and data to identify potential vulnerabilities and threats.  

The first step to identifying risks to your business is to understand the mission-critical areas of your digital environment. Key questions to identify these are: 

• • Which servers and/or services are critical to your ability to support business as usual operation?

• • What would be the impact on your business if these critical elements were unavailable?

Assessing the likelihood and impact 

Once potential risks have been identified, the next step is evaluating the likelihood of each risk occurring and what potential impact on the organisation if it does occur. 

The financial risks to a business today are without doubt the elephant in the room, they are often intangible and very difficult to measure, it’s easy to dismiss expensive cyber security solutions and “run the risk” of a significant cyber incident not happening – every day organisations discover that hard way that the financial risks they thought were acceptable turn out to be orders of magnitude higher than they anticipated.

Of course, not every cyber security ‘incident’ is apocalyptic in nature but there are some that are, and their ramifications need to be understood to the greatest extent possible.   

Prioritising risks 

Based on the likelihood and impact of each risk, the organization should prioritize the risks that need to be addressed first. Don’t waste time on risks that are not credible at the expense of those that are. A key consideration for prioritising risk is asking how long could you sustain operations if one or more of these systems were lost?  

Using a risk assessment framework is one of the best ways to prioritise the risks that have been identified. There are numerous frameworks freely available that assess risks using different approaches, its often a good idea to assess the same risks in different ways and compare the results to help you understand the severity of the risk to you; risks identified as concerns by both are a safe starting point as to where your priorities lie.    

Implementing controls 

Businesses should implement proper controls to mitigate or eliminate the risks identified. These controls can include technical solutions such as firewalls and antivirus software, as well as policies and procedures to improve security awareness and incident response. 

Consider how changing the way you operate might affect the risks you have identified, can small process changes or introducing security features of your existing solutions – such as encryption of data at rest – mitigate or eliminate the risks you have identified for little or no cost? 

Monitoring and reviewing 

For most effective risk management, businesses need to be continuously monitoring their systems and processes. This is key to ensuring that the cyber security controls that have been implemented are effective and that new risks are identified and dealt with. 

 

Conclusion

Many of us are only conducting perfunctory cyber risk assessments and we would greatly benefit from adjusting our approach, Gartner’s studies have led them to the same conclusion: 

“…by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.” 

–

If you haven’t done so already, our Posture Assessment tool is a quick-and-easy way to identify your strengths and weaknesses, and get a better picture of your overall security posture. 

We have put together a page of recommendations for improving your Risk Management, and which tools can help, which you can read here.