Information Risk Management (IRM) is a form of risk mitigation through policies, procedures, and technology that reduces the threat of cyber attacks from vulnerabilities and poor data security and from third-party vendors. Data breaches have massive, negative business impact and often arise from insufficiently protected data.
In this article, we outline how you can think about and manage your cyber risk from an internal and external perspective to protect your most sensitive data. External monitoring through third and fourth-party vendor risk assessments is part of any good risk management strategy.
Additionally, we highlight how your organization can improve your cyber security rating through key processes and security services that can be used to properly secure your own and your customers most valuable data.
You Need Information Risk Management
Regardless of your level of risk acceptance, information technology risk management programs are an increasingly important part of enterprise risk management.
In fact, many countries including the United States have introduced government agencies to promote better cybersecurity practices. The National Institute of Standards and Technology's (NIST) Cybersecurity Framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes."
There are now regulatory requirements, such as the General Data Protection Regulation (GDPR) or APRA's CPS 234, that mean managing your information systems correctly must be part of your business processes.
Companies are increasingly hiring Chief Information Security Officers (CISO) and turning to cybersecurity software to ensure good decision making and strong security measures for their information assets.
Cyber Attacks aren't Your Only Problem
When organizations think about their threat landscape and cyber risk exposure, they often think about attackers with malicious intent from an outside organization or foreign powers attempting to steal critical assets, valuable trade secrets, other information that is the target of corporate espionage, or to spread propaganda.
However, data breaches are increasingly occurring from residual risks like poorly configured S3 buckets, or poor security practices from third-party service providers who have inferior information risk management processes.
To combat this it's important to have vendor risk assessments and continuous monitoring of data exposures and leaked credentials as part of your risk treatment decision making process.
Risk avoidance isn't enough.
Not only do customers expect data protection from the services they use, the reputational damage of a data leak is enormous. Not to mention companies and executives may be liable when a data leak does occur.
Cyber Risk Management Must Be Part of Enterprise Risk Management
Every organization should have comprehensive enterprise risk management in place that addresses four categories:
- Strategy: High-level goals aligning and supporting the organization's mission
- Operations: Effective and efficient use of resources
- Financial reporting: Reliability of operational and financial reporting
- Compliance: Compliance with applicable laws and regulations
Cyber risk transverses all four categorizes and must be managed in the framework of information security risk management, regardless of your organization's risk appetite and risk sensitivity.
How to Think About Cyber Risk
Cyber risk is tied to uncertainty like any form of risk. As such, we should use decision theory to make rational choices about which risks to minimize and which risks to accept under uncertainty.
In general, risk is the product of likelihood times impact giving us a general risk equation of risk = likelihood * impact.
IT risk specifically can be defined as the product of threat, vulnerability and asset value:
Risk = threat * vulnerability * asset value
What is a Threat?
A threat is the possible danger an exploited vulnerability can cause, such as breaches or other reputational harm. Threats can either be intentional (i.e. hacking) or accidental (e.g. a poorly configured S3 bucket, or possibility of a natural disaster).
Think of the threat as the likelihood that a cyber attack will occur.
What is a Vulnerability?
A vulnerability is a threat that can be exploited by an attacker to perform unauthorized actions. To exploit a vulnerability, an attacker must have a tool or technique that can connect to a system's weakness. This is known as the attack surface.
It's not enough to understand what the vulnerabilities are, and continuously monitor your business for data exposures, leaked credentials and other cyber threats.
The more vulnerabilities your organization has, the higher the risk.
What is Asset Value?
Arguably, the most important element of managing cyber risk is understanding the value of the information you are protecting.
The asset value is the value of the information and it can vary tremendously.
Information like your customer's personally identifying information (PII) likely has the highest asset value and most extreme consequences.
How to Manage Information Security Risk
Good news, knowing what information risk management is (as we outlined above) is the first step to improving your organization's cybersecurity.
The next step is to establish a clear risk management program, typically set by an organization's leadership. That said, it is important for all levels of an organization to manage information security.
Vulnerabilities can come from any employee and it is fundamental to your organization's IT security to continually educate employees to avoid poor security practices that lead to data breaches.
This usually means installing intrusion detection, antivirus software, two-factor authentication processes, firewalls, continuous security monitoring of data exposures and leaked credentials, as well as third-party vendor security questionnaires.
Best in class vendor risk management teams who are responsible for working with third and fourth-party vendors and suppliers monitor and rate their vendor's security performance and automate security questionnaires.
Cybersecurity risk management is becoming an increasingly important part of the lifecycle of any project. Organizations need to think through IT risk, perform risk analysis, and have strong security controls to ensure business objectives are being met.