15 Considerations for Cybersecurity Risk Management

Last updated by Abi Tyas Tunggal on March 12, 2020

scroll down

Each year brings new cybersecurity threats, data breaches, attack vectors, and previously unknown vulnerabilities. Even with zero-day vulnerabilities like EternalBlue, the approach to dealing with cyber threats is the same: sound risk management framework with a systematic approach to risk assessment and response.

Cybersecurity risk management takes the idea of real-world risk management and applies it to cyber risks. The International Organization for Standardization (ISO) defines risk as "the effect of uncertainty on objectives".

Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, you must assess the likelihood and potential impact of an event and then determine the best approach to deal with the risk, e.g. avoid, transfer, accept, or mitigate. 

To mitigate cybersecurity risk, you must ultimately determine what kinds of security controls (prevent, deter, detect, correct, etc.) to apply. The thing is, not all risks can be eliminated nor do you have an unlimited budget or personnel to combat every risk. 

A robust cybersecurity risk management process is about managing the effects of uncertainty in a way that is cost-effective and makes efficient use of limited resources. Ideally, risk management helps identify risks early and implement appropriate mitigations to prevent incidents or attenuate their impact.

This prompts well-informed decision-making in the context of your objectives and generally contains the following six elements:

  1. Alignment to your goals and objectives
  2. Identification of risks
  3. Assessment of risks
  4. Selection of risk response
  5. Ongoing monitoring of risks
  6. Communication and reporting on risks

As such, this post offers 15 topics that are well worth considering when developing your cyber risk management strategy.  

Table of contents

  1. Build a risk management culture
  2. Ensure proper cyber hygiene
  3. Ensure you comply with relevant regulations
  4. Distribute responsibility
  5. Pay attention to your threat environment
  6. Invest in security awareness training
  7. Share information
  8. Implement a cybersecurity framework
  9. Prioritize cybersecurity risks
  10. Encourage different points of view
  11. Emphasize speed
  12. Develop a repeatable risk assessment process
  13. Implement an incident response plan
  14. Don't forget about your third and fourth-party vendors
  15. Use technology to reduce the operational overhead of cyber risk management

 

1. Build a risk management culture

Leaders must establish a culture of cybersecurity and risk management throughout your organization. By defining a governance structure and communicating intent and expectations, leaders and managers can ensure appropriate employee involvement, accountability, and training. 

With the average cost of a cyber attack exceeding $1.1 million, a risk management culture is a must. In addition to financial costs, there is a significant business impact – 54% of companies experience a loss in productivity, 43% have negative customer experiences, and 37% see a loss in brand reputation. 

The cost balloons for data breaches, with the average cost globally reaching $4 million and $8.19 million in the United States

This is why establishing a cybersecurity-focused culture throughout your organization, from part-time staff to Board members, is foundational to risk management.  

2. Ensure proper cyber hygiene

Implementing good cyber hygiene practices is the starting point for cyber risk management. 

Cyber hygiene is the cybersecurity equivalent to the concept of personal hygiene in public health literature. 

The European Union's Agency for Network and Information Security (ENISA) states that "cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organization will be simple daily routines, good behaviors, and occasional checkups to make sure the organization's online health is in optimum condition". 

At UpGuard, we believe good cyber hygiene practices create a strong security posture, as measured by a security rating. The higher your security rating, the better your security practices, and the better you can prevent data breaches, cyber attacks, phishing, malware, ransomware, exposure of personal data, and other cyber threats.

Read more in our blog post on cyber hygiene.

3. Ensure you comply with relevant regulations

Risk management, particularly third-party risk management and vendor risk management, are increasingly part of regulatory compliance requirements.

This is especially true in you work in healthcare (HIPAA) or financial services (CPS 234, PCI DSS, 23 NYCRR 500). With that said, the introduction of general data protection laws like GDPR, LGPD, the SHIELD Act, PIPEDA, CCPA, and FIPA means most organizations have risk management requirements. 

4. Distribute responsibility

The burden for cybersecurity and enterprise risk management in general, cannot solely rest with your IT security team. 

While cybersecurity professionals do their best to ensure that all risks are accounted for, no security program can be successfully implemented without participation from the entire organization. 

Your information security policies must ensure every employee is aware of potential risks, particularly social engineering attacks whether they be phishing, email attachments that spread malware, or abuse of access control and privilege escalation

It often only takes one small mistake to have your information security, network security or data security compromised. Just look at how malware at one of Target's vendors led to the exposure of 110 million credit card numbers

Read more about the biggest data breaches here

5. Pay attention to your threat environment

CISOs often don't take into account the environment they are working in. Organizations should consider investing in OPSEC and social media training for their high-profile executives. Cyber criminals are increasingly using information gathered from public sources like LinkedIn or Facebook to launch sophisticated whaling attacks.

A whaling attack is a type of phishing attack that targets high-level executives, such as the CEO or CFO, to steal sensitive information from a company. This could include financial information or employees' personal information

In some cases, scammers may pose as the CEO or other corporate officers to manipulate victims into authorizing high-value wire transfers to offshore bank accounts or to go to spoofed websites that install malware

6. Invest in security awareness training

To implement your cybersecurity plan, you need fully trained staff at all levels who are capable of identifying risks and running the processes and procedures needed to mitigate those risks. 

A good security awareness program should educate employees about corporate policies and procedures for working with IT assets and sensitive data. Employees should know who to contact if they think they've discovered a security threat and be taught which data should not be exposed over email.

Regular training is necessary for any organization, and particularly those who rely heavily on third-party vendors or temporary staff. 

The National Institute of Standards and Technology (NIST) has an excellent publication with templates and guides for what should go into a security awareness training program in NIST SP 800-50.

7. Share information

Security is a team sport. All stakeholders must be aware of risks, particularly those that are shared across departments. 

Information about what cybersecurity risks your organization is worried about must be communicated to all appropriate stakeholders, especially those involved in decision-making. Everyone needs to be aware of the potential business impact of cyber attacks and how they can help prevent them. 

Information-sharing tools, such as dashboards of relevant metrics, can keep stakeholders aware and involved. 

Consider investing in a security ratings tool that can provide a single, easy to understand metric that nontechnical stakeholders can understand. Read more about security ratings here

8. Implement a cybersecurity framework

It's important to implement an appropriate cybersecurity framework for your organization. This is typically dictated by the standards adopted by your industry or regulatory requirements. With this in mind, the most frequently adopted cybersecurity frameworks are:

  • Payment Card Industry Data Security Standards (PCI DSS): An information security standard for organizations that handle branded credit cards from major credit card schemes. 
  • ISO 27001: One of the most well-known and well-used information security standards and is part of the ISO/IEC 27000 family of standards. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). 
  • CIS Critical Security Controls: A prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. A principle benefit of the CIS Controls are that they prioritize and focus on a small number of actions that greatly reduce cybersecurity risk. Read more about the CIS Controls here.
  • NIST Cybersecurity Framework: A framework, based on existing standards, guidelines and practices for private sector organizations in the United States to better manage and reduce cybersecurity risk. The framework is increasingly adopted as best practice, with 30% of U.S. organizations using it as of 2015, expected to rise to 50% by 2020. Read more about the NIST Cybersecurity Framework here.

9. Prioritize cybersecurity risks

Your organization has limited budget and staff. To prioritize risks and responses, you need information, such as trends over time, potential impact, the likelihood of impact, and when the risk may materialize (near term, medium term, long term). 

Put simply, you cannot protect against all possible threats. 

10. Encourage different points of view

Too often risk is viewed from a single viewpoint from a single source, such as the results of penetration testing, artificial intelligence, machine learning algorithms, personal experience or company history. 

The issue is that cyber criminals rarely share this same viewpoint. Malicious actors are more likely to think out of the box or use your external security posture to identify weak points in your system that you may have not considered. 

For this reason, it's important to encourage team members from all disciplines to think of and argue different attack scenarios. This sort of diverse thinking and help identify more risks and potential scenarios. 

11. Emphasize speed

When your organization is exposed to a risk, a quick response can minimize the impact. Identifying high risks early can help your team start the remediation process before they are exploited. 

This is particularly important for sensitive data exposures and leaked credentials, which is why we developed UpGuard BreachSight, the world's best data leak detection engine.                                   

For example, we were able to detect data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day.

This repo contained personal identity documents and system credentials including passwords, AWS key pairs and private keys.

We're able to do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos, and unsecured RSync and FTP servers. Our data leak discovery engine continuously searches for keyword lists provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of breach research.

Other providers wait for them to end up for sale on the dark web.

12. Develop a repeatable risk assessment process

A cybersecurity risk assessment is about understanding, managing, controlling, and mitigating cyber risk across your organization.

A repeatable process is a crucial part of any organization's risk management strategy and data protection efforts. 

To begin, you'll need to auditing your data to answer the following questions:

  • What data do we collect?
  • How and where are we storing this data?
  • How do we protect and document the data?
  • How long do we keep data?
  • Who has access internally and externally to the data?
  • Is the place we are storing the data properly secured?

You'll then what to define the parameters of the risk assessment. Here are a few good questions to help you decide:

  • What is the purpose of the assessment?
  • What is the scope of the assessment?
  • Are there any priorities or constraints I should be aware of that could affect the assessment?
  • Who do I need access to in the organization to get all the information I need?
  • What risk model does the organization use for risk analysis?

Read our complete guide on how to conduct a cybersecurity risk assessment here.

13. Implement an incident response plan

An incident response plan is a set of written instructions that outline your organization's response to data breaches, data leaks, cyber attacks and security incidents. 

Implementing an incident response plan is important because it outlines how to minimize the duration and impact of security incidents, identifies key stakeholders, streamlines digital forensics, improves recovery time, reduces negative publicity and customer churn. 

Even small cybersecurity incidents, like a malware infection, when left unchecked can snowball into bigger problems that ultimately lead to data breaches, data loss, and interrupted business operations. 

Read our guide on incident response planning here

14. Don't forget about your third and fourth-party vendors

Remember that your cyber risk management responsibility doesn't end with your internal information technology assets. You need to ensure your third-party vendors and their vendors (fourth-parties) are invested in risk mitigation. This is known as vendor risk management or third-party risk management.

Third-party risk and fourth-party risk management must part of your overall cyber risk management strategy.

Read more about why vendor risk management is important here

15. Use technology to reduce the operational overhead of cyber risk management

Security ratings are a great way to identify high-risk vendors and internal assets instantly. They're a data-driven, objective, and dynamic measure of an organization's security posture. 

Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk. And just like credit ratings, they make it easy for even non-technical stakeholders to assess the security risk of a particular vendor or asset.

The key idea is the higher the security rating, the better the organization's security posture.  

Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.

UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.

We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating. 

For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.

What makes UpGuard different from other security ratings providers is there is very public evidence of our expertise in preventing data breaches and data leaks

Our expertise has been featured in the likes of The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch.

You can read more about what our customers are saying on Gartner reviews, and read our customer case studies here

If you'd like to see your organization's security rating, click here to request your free security rating.

Book a demo of the UpGuard platform today.


Related posts

Learn more about the latest issues in cybersecurity