Cybersecurity risk management takes the idea of real-world risk management and applies it to cyber risks. The International Organization for Standardization (ISO) defines risk as "the effect of uncertainty on objectives.”
Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, you must assess an event's likelihood and potential impact and then determine the best approach to deal with the risk, e.g., avoid, transfer, accept, or mitigate.
Each year brings new cybersecurity threats, data breaches, attack vectors, and previously unknown vulnerabilities. Even with zero-day vulnerabilities like EternalBlue, the approach to dealing with cyber threats is the same: a sound risk management framework with a systematic risk assessment and response approach.
To mitigate cybersecurity risk, you must determine what kinds of security controls (prevent, deter, detect, correct, etc.) to apply. Not all risks can be eliminated, nor do you have an unlimited budget or personnel to combat every risk. There are practical strategies you can implement to reduce your cybersecurity risk.
A robust cybersecurity risk management strategy is about managing the effects of uncertainty in a cost-effective manner and efficiently using limited resources. Ideally, risk management helps identify risks early and implement appropriate mitigations to prevent incidents or attenuate their impact.
This prompts well-informed decision-making in the context of your objectives and generally contains the following six elements:
- Alignment to your goals and objectives
- Identification of risks
- Assessment of risks
- Selection of risk response
- Ongoing monitoring of risks
- Communication and reporting on risks
As such, this post offers 15 things to consider when developing your cyber risk management strategy.
Why is Cyber Risk Management Important?
Long ago, businesses would install a firewall and consider cybersecurity taken care of. Since then, cyber threats have become much more sophisticated and complex. Cybercriminals are far more widespread, persistent, and better equipped in today’s threat landscape.
Information security risks must be managed and remediated to prevent data breaches from occurring and keep sensitive information safe from cybercriminals and hackers. Without effective cyber risk management policies, organizations can put themselves at risk of cyber attacks with no way of recovering.
To understand how cyber risk has developed, it’s helpful to look at two key areas: technological changes in how organizations conduct business and cybercriminals who have embraced technology to launch more harmful, persistent threats.
5G and the Internet of Things (IoT)
The 5th generation of wireless mobile technology increases cyber risk because it means that cybercriminals can launch attacks and steal data more quickly than ever. Moreover, 5G enables businesses to be more connected, which creates or exacerbates network security challenges.
One of the biggest developments associated with 5G connectivity is the increased use of Internet of Things (IoT) devices. This is of particular concern in the manufacturing industry, where operational technology is rarely connected to the Internet.
Every networked IoT device adds a potentially vulnerable endpoint to an organization. The combination of device connectivity and a tendency toward inadequate inbuilt security challenges cybersecurity teams attempting to ensure network security.
Remote Access Policies
COVID-19 has accelerated the move toward remote workforces at such a rate that the technology and implementation outstripped security considerations and capabilities. Many businesses are still playing catchup to mitigate vulnerabilities in their extended networks.
Remote workers often use unsecured devices and public Wi-Fi networks shared with friends or family members, increasing the risk to organizations from various sources, including malware, data leaks, and phishing.
COVID-19 also pushed many organizations into rapid digitization and migration into cloud-based systems. With many more digital assets, organizations substantially increased their attack surfaces, often without regard for how to secure them. The rapid shift means that some organizations are not well-informed of the risks or cut corners during the process.
Artificial Intelligence (AI) and Machine Learning (ML)
While businesses use AI to automate processes and deliver efficiencies, cybercriminals can also leverage AI to perpetrate cyber attacks. For example, AI’s potential for pattern recognition could be useful to cybercriminals wishing to deliver more effective social engineering attacks. Alternatively, reverse engineering an AI system could reveal sensitive data.
To combat this trend, organizations should embrace the adoption of AI technology in their cybersecurity tools.
With supply chain attacks on the rise, companies should prioritize the influence of AI technology on branches of cybersecurity focused on the third-party landscape - Vendor Risk Management (VRM).
15 Tips for Developing Your Cyber Risk Management Strategy
1. Build a Risk Management Culture
Leaders must establish a culture of cybersecurity and risk management initiatives throughout their organization. By defining a governance structure and communicating intent and expectations, leaders and managers can ensure appropriate employee involvement, accountability, and training.
With the average cost of a cyber attack exceeding $1.1 million, a risk management culture is a must. In addition to financial costs, there is a significant business impact – 54% of companies experience a loss in productivity, 43% have negative customer experiences, and 37% see a loss in brand reputation.
The cost balloons for data breaches, with the average cost globally reaching over $4 million and $8.19 million in the United States. This is why establishing a cybersecurity-focused culture throughout your organization, from part-time staff to Board members, is foundational to risk management.
2. Ensure Proper Cyber Hygiene
Implementing good cyber hygiene practices is the starting point for cyber risk management.
Cyber hygiene is the cybersecurity equivalent of personal hygiene in public health literature.
The European Union's Agency for Network and Information Security (ENISA) states that "cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organization, will be simple daily routines, good behaviors, and occasional checkups to make sure the organization's online health is in optimum condition”.
At UpGuard, we help enforce good cyber hygiene practices to build stronger security postures, as measured by a security rating. The higher your security rating, the better your security practices, and the better you can prevent data breaches, cyber attacks, phishing, malware, ransomware, exposure of personal data, and other cyber threats.
Read more in our blog post on cyber hygiene.
3. Ensure You Comply With Relevant Regulations
This is especially true if you work in healthcare (HIPAA) or financial services (CPS 234, PCI DSS, 23 NYCRR 500). With that said, the introduction of general data protection laws like GDPR, LGPD, the SHIELD Act, PIPEDA, CCPA, and FIPA means most organizations have risk management requirements.
4. Distribute Responsibility
The burden for cybersecurity and enterprise risk management, in general, cannot solely rest with your IT security team.
While cybersecurity professionals do their best to ensure that all risks are accounted for, no security program can be successfully implemented without participation from the entire organization.
Your information security policies must ensure every employee is aware of potential risks, particularly social engineering attacks, whether phishing, email attachments that spread malware, or abuse of access control and privilege escalation.
It often only takes one small mistake to compromise your information security, network security, or data security. Just look at how malware at one of Target's vendors exposed 110 million credit card numbers.
5. Pay Attention to Your Threat Environment
CISOs often don't take into account the environment they are working in. Organizations should consider investing in OPSEC and social media training for their high-profile executives. Cybercriminals increasingly use information from public sources like LinkedIn or Facebook to launch sophisticated whaling attacks.
A whaling attack is a type of phishing attack that targets high-level executives, such as the CEO or CFO, to steal sensitive information from a company. This could include financial information or employees' personal information.
In some cases, scammers may pose as the CEO or other corporate officers to manipulate victims into authorizing high-value wire transfers to offshore bank accounts or to go to spoofed websites that install malware.
6. Invest in Security Awareness Training
To implement your cybersecurity plan, you need fully trained staff at all levels who are capable of identifying risks and running the processes and procedures needed to mitigate those risks.
A good security awareness program should educate employees about corporate policies and procedures for working with IT assets and sensitive data. Employees should know who to contact if they think they've discovered a security threat and be taught which data should not be exposed over email.
Regular training is necessary for any organization, particularly those who rely heavily on third-party vendors or temporary staff.
The National Institute of Standards and Technology (NIST) has an excellent publication with templates and guides for what should go into a security awareness training program in NIST SP 800-50.
7. Share Information
Security is a team sport. All stakeholders must be aware of risks, particularly those shared across departments.
Information about what cybersecurity risks your organization is worried about must be communicated to all appropriate stakeholders, especially those involved in decision-making. Everyone needs to be aware of the potential business impact of cyber attacks and how they can help prevent them.
Information-sharing tools, such as dashboards of relevant metrics, can keep stakeholders aware and involved.
8. Implement a Cybersecurity Framework
It's important to implement an appropriate cybersecurity framework for your organization. This is typically dictated by the standards adopted by your industry or regulatory requirements. With this in mind, the most frequently adopted cybersecurity frameworks are:
- Payment Card Industry Data Security Standards (PCI DSS) — An information security standard for organizations that handle branded credit cards from major credit card schemes.
- ISO 27001 — ISO of the most well-known and well-used information security standards and is part of the ISO/IEC 27000 family of standards. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
- CIS Critical Security Controls — A prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. A principal benefit of CIS Controls is that they prioritize and focus on a small number of actions that greatly reduce cybersecurity risk.
- NIST Cybersecurity Framework (NIST CSF) — A framework based on existing standards, guidelines, and practices for private sector organizations in the United States to manage better and reduce cybersecurity risk.
9. Prioritize Cybersecurity Risk Remediation
Your organization has a limited budget and staff. To prioritize risks and responses, you need information, such as trends over time, potential impact, the likelihood of impact, and when the risk may materialize (near term, medium term, long term).
Simply put, you cannot protect against all possible threats. Organizations must review their risk profiles, identify which risks to remediate or mitigate first, and implement the necessary security measures to protect their most critical assets from threats.
10. Encourage Different Points of View
Too often, risks are viewed from a single viewpoint from a single source, such as the results of penetration testing, artificial intelligence, machine learning algorithms, personal experience, or company history.
The issue is that cyber criminals rarely share this same viewpoint. Malicious actors are more likely to think out of the box or use your external security posture to identify weak points in your system that you may not have considered.
For this reason, it's important to encourage team members from all disciplines to think of and argue different attack scenarios. This sort of diverse thinking helps identify more risks and potential scenarios.
11. Emphasize Speed
A quick response can minimize the impact when your organization is exposed to a risk. Identifying high risks early can help your team start the remediation process before they are exploited.
This is particularly important for sensitive data exposures and leaked credentials, which is why we developed UpGuard BreachSight, the world's best data leak detection engine.
For example, we detected data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS, and the repo was secured the same day.
This repo contained personal identity documents and system credentials, including passwords, AWS key pairs, and private keys.
We can do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos, and unsecured RSync and FTP servers. Our data leak discovery engine continuously searches for keyword lists provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of breach research.
Other providers wait for them to end up for sale on the dark web.
12. Develop a Repeatable Risk Assessment Process
A cybersecurity risk assessment is about understanding, managing, controlling, and mitigating cyber risk across your organization.
A repeatable process is crucial to any organization's risk management strategy and data protection efforts.
To begin, you'll need to audit your data to answer the following questions:
- What data do we collect?
- How and where are we storing this data?
- How do we protect and document the data?
- How long do we keep data?
- Who has access internally and externally to the data?
- Is the place we are storing the data properly secured?
You'll then need to define the parameters of the risk assessment. Here are a few good questions to help you decide:
- What is the purpose of the assessment?
- What is the scope of the assessment?
- Are there any priorities or constraints I should be aware of that could affect the assessment?
- Who do I need access to in the organization to get all the information I need?
- What risk model does the organization use for risk analysis?
13. Implement an Incident Response Plan
Implementing an incident response plan is important because it outlines how to minimize the duration and impact of security incidents, identifies key stakeholders, streamlines digital forensics, improves recovery time, and reduces negative publicity and customer churn.
14. Don't Forget About Your Third and Fourth-Party Vendors
Remember that your cyber risk management responsibility doesn't end with your internal information technology assets. You need to ensure your entire supply chain, which includes third-party vendors and their vendors (fourth parties), is invested in risk mitigation. This is known as vendor risk management or third-party risk management.
Third-party and fourth-party risk management must part of your overall cyber risk management program and strategy.
15. Use Technology to Reduce the Operational Overhead of Cyber Risk Management
Security ratings are a great way to instantly identify high-risk vendors and internal assets in real-time. They're a data-driven, objective, and dynamic measure of an organization's security posture. The key idea is the higher the security rating, the better the organization's security posture.
Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk. And just like credit ratings, they make it easy for even non-technical stakeholders to assess the security risk of a particular vendor or asset.
Certain software and technology, like UpGuard, can help any organization streamline its risk management processes and help reduce the amount of time, resources, and manpower required to reduce risks.