No organization is impervious to cyberattacks. But what separates resilient businesses from data breach victims is superior risk management.
Resilience is achieved through the meticulous calculation of all potential risks and the application of necessary control measures to mitigate them.
In this post, we present a 4-step framework for a reliable risk management plan.
What is a Cyber Risk?
The definition of risk in cybersecurity is the likelihood of damage to sensitive data, critical assets, finances, or reputation. These damages usually result from cyberattacks or data breaches.
Not all risks are equal, some have greater criticality than others.
For example, the level of risk associated with a website only displaying static information is lower than the risk associated with a web application accessing sensitive customer data.
Cyber risk is calculated by considering the identified security threat, its degree of vulnerability, and the likelihood of exploitation.
At a high level, this can be quantified as follows:
Cyber risk = Threat x Vulnerability x Information Value.
The terms cyber risk, cyber threat, and security threat, are used interchangeably, they both refer to the same security vulnerabilities.
Some examples of cyber risks include:
Examples of cyber risks include:
How to Mitigate Cyber Risks
The process of mitigating cyber risks begins by collecting data about the target ecosystem. This is achieved through risk assessments for either the internal and third-party vendor network.
In order for these risk assessments to collect the most valuable data, they need to align with business objectives.
Cyber risks should also be considered for short-term project objectives.
Cyber risks impeded project plans, so a cyber risk assessment process should be a vital component of project risk management.
The results of a cybersecurity risk assessment should identify all the risks associated with exposed assets.
This is then followed by either a qualitative risk analysis or a quantitative risk analysis in light of a defined risk appetite. The results will establish the specifications of all necessary risk responses.
Learn how to calculate the risk appetite for your Third-Party Risk Management program.
A qualitative risk analysis is a more popular option since it assigns risks into categories rather than a specific dollar value. This is often more preferable since security risks are faster to address by referencing their level of criticality.
Step 1: Specify Acceptable Levels of Risk
Addressing all security risks is an inefficient use of security resources and in many cases unnecessary.
A more sustainable approach is to define a risk appetite to separate risks into four categories:
- Avoid - Aim to reduce or eliminate risks by adjusting program requirements
- Accept - Acknowledge risks without implementing controls to address them.
- Control - Deploy efforts that minimize the impact and probability of risks
- Monitor - Monitor risks for any changes in severity
This will also ensure the most critical threats are addressed first, keeping security posture's as high as possible during the most tender process of cybersecurity - digital transformation.
Learn how to calculate risk appetite and residual risk.
Risk thresholds differ between assets. It's therefore important to have all exposed assets identified so that their unique thresholds can be assigned to each of them.
Digital footprint mapping will help you identify all relevant assets and their potential risks.
Learn how to create a digital footprint.
Step 2: Choose a Risk Assessment
Risk assessments have two primary objectives:
- To identify all risks in a target environment.
- To keep stakeholders and decision-making project team members informed of the security process.
There are many risk assessment standards to choose from. Some are mandatory for highly regulated sectors to ensure resilience for industry-specific risks.
Here's a list of popular assessment standards:
- NIST (National Institute of Standards and Technology)
- CIS Controls (Center for Internet Security Controls)
- ISO (International Organization for Standardization)
- HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule
- PCI-DSS (The Payment Card Industry Data Security Standard)
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- AICPA (American Institute of Certified Public Accountants)
- SOX (Sarbanes-Oxley Act)
- COBIT (Control Objectives for Information and Related Technologies)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act of 2014)
- FedRAMP (The Federal Risk and Authorization Management Program)
- FERPA (The Family Educational Rights and Privacy Act of 1974)
- ITAR (International Traffic in Arms Regulations)
- COPPA (Children’s Online Privacy Protection Rule)
- NERC CIP Standards (NERC Critical Infrastructure Protection Standards
Each of these assessments can be created manually from an assessment template. For a high-level vendor assessment, this checklist can be used.
if your requirements do not align with any of the above standards, you can design your own assessment with a custom questionnaire builder.
To speed up the risk analysis process, a security risk management tool such as UpGuard can be used.
UpGuard manages the creation and distribution of all risk assessments, as well as any required response efforts for identified risks.
The following questionnaires are available on the UpGuard platform:
- CyberRisk Questionnaire
- ISO 27001 Questionnaire
- Short Form Questionnaire
- NIST Cybersecurity Framework Questionnaire
- PCI DSS Questionnaire:
- California Consumer Privacy Act (CCPA) Questionnaire
- Modern Slavery Questionnaire:
- Pandemic Questionnaire
- Security and Privacy Program Questionnaire
- Web Application Security Questionnaire
- Infrastructure Security Questionnaire
- Physical and Data Centre Security Questionnaire:
- COBIT 5 Security Standard Questionnaire
- ISA 62443-2-1:2009 Security Standard Questionnaire
- ISA 62443-3-3:2013 Security Standard Questionnaire
- GDPR Security Standard Questionnaire
- CIS Controls 7.1 Security Standard Questionnaire
- NIST SP 800-53 Rev. 4 Security Standard Questionnaire
- SolarWinds Questionnaire
- Kaseya Questionnaire
To see how these assessments are managed in the UpGuard platform, click here for a free trial.
Step 3: Prioritize Risks
All unacceptable risks should be further ranked by level of criticality. This can be achieved through a risk matrix which plots the likelihood of any risk being exploited and the impact on sensitive resources if it occurs.
All of the potential hazards identified through security questionnaires and risk assessments should then be analyzed through such a risk matrix and assigned a corresponding risk score.
This will differentiate high risks from those with a lower risk probability, setting the foundation for a more efficient remediation program.
For more information about designing an efficient remediation program, read this risk remediation planning whitepaper from UpGuard.
A variation of this classification strategy can also be applied to third-party risks to optimize vendor risk management - a process known as vendor tiering.
Step 4: Implement Security Controls
With hazard identification complete, security controls can then be implemented for all types of risk that require management.
The effectiveness of each risk management process should be monitored with security scores, which evaluate security postures based on multiple attack vectors.
A security score drop could be indicative of new risks that should then be fed through steps 3 and 4 of this framework.
Mitigate Cyber Risks with UpGuard
UpGuard's comprehensive attack surface monitoring engine discovers security risks both internally and throughout the vendor network. This risk management solution also manages the remediation process for all discovered risks, helping organizations address vulnerabilities before they're discovered by cyberattacks.