Each year brings new cybersecurity threats, data breaches, attack vectors, and previously unknown vulnerabilities. Even with zero-day vulnerabilities like EternalBlue, the approach to dealing with cyber threats is the same: sound risk management framework with a systematic approach to risk assessment and response.
Cybersecurity risk management takes the idea of real-world risk management and applies it to cyber risks. The International Organization for Standardization (ISO) defines risk as "the effect of uncertainty on objectives".
Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, you must assess the likelihood and potential impact of an event and then determine the best approach to deal with the risk, e.g. avoid, transfer, accept, or mitigate.
To mitigate cybersecurity risk, you must ultimately determine what kinds of security controls (prevent, deter, detect, correct, etc.) to apply. The thing is, not all risks can be eliminated nor do you have an unlimited budget or personnel to combat every risk.
A robust cybersecurity risk management process is about managing the effects of uncertainty in a way that is cost-effective and makes efficient use of limited resources. Ideally, risk management helps identify risks early and implement appropriate mitigations to prevent incidents or attenuate their impact.
This prompts well-informed decision-making in the context of your objectives and generally contains the following six elements:
- Alignment to your goals and objectives
- Identification of risks
- Assessment of risks
- Selection of risk response
- Ongoing monitoring of risks
- Communication and reporting on risks
As such, this post offers 15 topics that are well worth considering when developing your cyber risk management strategy.
1. Build a risk management culture
Leaders must establish a culture of cybersecurity and risk management throughout your organization. By defining a governance structure and communicating intent and expectations, leaders and managers can ensure appropriate employee involvement, accountability, and training.
With the average cost of a cyber attack exceeding $1.1 million, a risk management culture is a must. In addition to financial costs, there is a significant business impact – 54% of companies experience a loss in productivity, 43% have negative customer experiences, and 37% see a loss in brand reputation.
This is why establishing a cybersecurity-focused culture throughout your organization, from part-time staff to Board members, is foundational to risk management.
2. Ensure proper cyber hygiene
Implementing good cyber hygiene practices is the starting point for cyber risk management.
Cyber hygiene is the cybersecurity equivalent to the concept of personal hygiene in public health literature.
The European Union's Agency for Network and Information Security (ENISA) states that "cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organization will be simple daily routines, good behaviors, and occasional checkups to make sure the organization's online health is in optimum condition".
At UpGuard, we believe good cyber hygiene practices create a strong security posture, as measured by a security rating. The higher your security rating, the better your security practices, and the better you can prevent data breaches, cyber attacks, phishing, malware, ransomware, exposure of personal data, and other cyber threats.
Read more in our blog post on cyber hygiene.
3. Ensure you comply with relevant regulations
Risk management, particularly third-party risk management and vendor risk management, are increasingly part of regulatory compliance requirements.
This is especially true in you work in healthcare (HIPAA) or financial services (CPS 234, PCI DSS, 23 NYCRR 500). With that said, the introduction of general data protection laws like GDPR, LGPD, the SHIELD Act, PIPEDA, CCPA, and FIPA means most organizations have risk management requirements.
4. Distribute responsibility
The burden for cybersecurity and enterprise risk management in general, cannot solely rest with your IT security team.
While cybersecurity professionals do their best to ensure that all risks are accounted for, no security program can be successfully implemented without participation from the entire organization.
Your information security policies must ensure every employee is aware of potential risks, particularly social engineering attacks whether they be phishing, email attachments that spread malware, or abuse of access control and privilege escalation.
It often only takes one small mistake to have your information security, network security or data security compromised. Just look at how malware at one of Target's vendors led to the exposure of 110 million credit card numbers.
5. Pay attention to your threat environment
CISOs often don't take into account the environment they are working in. Organizations should consider investing in OPSEC and social media training for their high-profile executives. Cyber criminals are increasingly using information gathered from public sources like LinkedIn or Facebook to launch sophisticated whaling attacks.
A whaling attack is a type of phishing attack that targets high-level executives, such as the CEO or CFO, to steal sensitive information from a company. This could include financial information or employees' personal information.
In some cases, scammers may pose as the CEO or other corporate officers to manipulate victims into authorizing high-value wire transfers to offshore bank accounts or to go to spoofed websites that install malware.
6. Invest in security awareness training
To implement your cybersecurity plan, you need fully trained staff at all levels who are capable of identifying risks and running the processes and procedures needed to mitigate those risks.
A good security awareness program should educate employees about corporate policies and procedures for working with IT assets and sensitive data. Employees should know who to contact if they think they've discovered a security threat and be taught which data should not be exposed over email.
Regular training is necessary for any organization, and particularly those who rely heavily on third-party vendors or temporary staff.
The National Institute of Standards and Technology (NIST) has an excellent publication with templates and guides for what should go into a security awareness training program in NIST SP 800-50.
7. Share information
Security is a team sport. All stakeholders must be aware of risks, particularly those that are shared across departments.
Information about what cybersecurity risks your organization is worried about must be communicated to all appropriate stakeholders, especially those involved in decision-making. Everyone needs to be aware of the potential business impact of cyber attacks and how they can help prevent them.
Information-sharing tools, such as dashboards of relevant metrics, can keep stakeholders aware and involved.
8. Implement a cybersecurity framework
It's important to implement an appropriate cybersecurity framework for your organization. This is typically dictated by the standards adopted by your industry or regulatory requirements. With this in mind, the most frequently adopted cybersecurity frameworks are:
- Payment Card Industry Data Security Standards (PCI DSS): An information security standard for organizations that handle branded credit cards from major credit card schemes.
- ISO 27001: One of the most well-known and well-used information security standards and is part of the ISO/IEC 27000 family of standards. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
- CIS Critical Security Controls: A prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. A principle benefit of the CIS Controls are that they prioritize and focus on a small number of actions that greatly reduce cybersecurity risk. Read more about the CIS Controls here.
- NIST Cybersecurity Framework: A framework, based on existing standards, guidelines and practices for private sector organizations in the United States to better manage and reduce cybersecurity risk. The framework is increasingly adopted as best practice, with 30% of U.S. organizations using it as of 2015, expected to rise to 50% by 2020. Read more about the NIST Cybersecurity Framework here.
9. Prioritize cybersecurity risks
Your organization has limited budget and staff. To prioritize risks and responses, you need information, such as trends over time, potential impact, the likelihood of impact, and when the risk may materialize (near term, medium term, long term).
Put simply, you cannot protect against all possible threats.
10. Encourage different points of view
Too often risk is viewed from a single viewpoint from a single source, such as the results of penetration testing, artificial intelligence, machine learning algorithms, personal experience or company history.
The issue is that cyber criminals rarely share this same viewpoint. Malicious actors are more likely to think out of the box or use your external security posture to identify weak points in your system that you may have not considered.
For this reason, it's important to encourage team members from all disciplines to think of and argue different attack scenarios. This sort of diverse thinking and help identify more risks and potential scenarios.
11. Emphasize speed
When your organization is exposed to a risk, a quick response can minimize the impact. Identifying high risks early can help your team start the remediation process before they are exploited.
This is particularly important for sensitive data exposures and leaked credentials, which is why we developed UpGuard BreachSight, the world's best data leak detection engine.
For example, we were able to detect data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day.
This repo contained personal identity documents and system credentials including passwords, AWS key pairs and private keys.
We're able to do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos, and unsecured RSync and FTP servers. Our data leak discovery engine continuously searches for keyword lists provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of breach research.
Other providers wait for them to end up for sale on the dark web.
12. Develop a repeatable risk assessment process
A cybersecurity risk assessment is about understanding, managing, controlling, and mitigating cyber risk across your organization.
A repeatable process is a crucial part of any organization's risk management strategy and data protection efforts.
To begin, you'll need to auditing your data to answer the following questions:
- What data do we collect?
- How and where are we storing this data?
- How do we protect and document the data?
- How long do we keep data?
- Who has access internally and externally to the data?
- Is the place we are storing the data properly secured?
You'll then what to define the parameters of the risk assessment. Here are a few good questions to help you decide:
- What is the purpose of the assessment?
- What is the scope of the assessment?
- Are there any priorities or constraints I should be aware of that could affect the assessment?
- Who do I need access to in the organization to get all the information I need?
- What risk model does the organization use for risk analysis?
13. Implement an incident response plan
Implementing an incident response plan is important because it outlines how to minimize the duration and impact of security incidents, identifies key stakeholders, streamlines digital forensics, improves recovery time, reduces negative publicity and customer churn.
Even small cybersecurity incidents, like a malware infection, when left unchecked can snowball into bigger problems that ultimately lead to data breaches, data loss, and interrupted business operations.
14. Don't forget about your third and fourth-party vendors
Remember that your cyber risk management responsibility doesn't end with your internal information technology assets. You need to ensure your third-party vendors and their vendors (fourth-parties) are invested in risk mitigation. This is known as vendor risk management or third-party risk management.
Third-party risk and fourth-party risk management must part of your overall cyber risk management strategy.
15. Use technology to reduce the operational overhead of cyber risk management
Security ratings are a great way to identify high-risk vendors and internal assets instantly. They're a data-driven, objective, and dynamic measure of an organization's security posture.
Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk. And just like credit ratings, they make it easy for even non-technical stakeholders to assess the security risk of a particular vendor or asset.
The key idea is the higher the security rating, the better the organization's security posture.
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.
If you'd like to see your organization's security rating, click here to request your free security rating.