Life is full of uncertainty. For businesses, the risk to their information systems is a major concern. They face threats from inside and outside, as well as the possibility of ruinous mistakes and physical disasters. Managers need to understand cyber risk and keep it under control.
"Cyber risk" means the possibility of harmful consequences resulting from failures in information systems.
These consequences include financial loss and business interruption. They have low-tech mishaps such as fires and theft, but online threats are the most challenging and potentially expensive risks. Risk management covers not only technical issues but policies and personal actions.
Protect your information assets through expertly conducted penetration testing. Call RedTeam Security at (952) 836-2770 or contact us online for a free consultation.
Many factors contribute to an organization's risk profile. The major ones include the following:
A business needs an enterprise risk management policy and a set of practices based on it. Managing risk is an ongoing task that requires a consistent approach and regular attention.
NIST recommends a process consisting of four steps: frame, assess, respond, and monitor. These steps aren't a linear sequence but rather feed into each other:
Frame: Identify the organization's requirements and constraints. The questions to ask include: How much risk is acceptable? What kind of adversaries does the business face? What are the priorities, and what tradeoffs are acceptable?
Assess: Identify threats that the organization faces and weaknesses in its current situation. Determine what adverse impact the threats could cause.
Monitor: Determine if the response plans in place are effective. Identify new risks that arise from changing cyber threats or new technologies.
Respond: Implement specific responses to threats. Evaluate alternatives that could provide better protection instead of or in addition to currently implemented actions.
Risk isn't static. Some risks go up over time and others go down. Cybercriminals employ new strategies. Information technology changes, people adopt new devices, and software usage patterns evolve.
For example, suppose a company adopts videoconferencing on a large scale. In that case, it has to deal with issues like file sharing, visual and audio information leaks, and the security of the conferencing infrastructure. Risks that rarely occurred before become important. A cyber risk management policy needs to take these changes into account.
New protective technologies provide better ways to reduce risk. For example, almost all anti-malware measures once relied on "signatures," identifying bit patterns to detect malicious code. As the rate of malware production has grown, protective software has adopted methods such as behavior analysis and machine learning to catch previously unidentified attacks.
Every organization should conduct a risk assessment to better understand what it stands to lose and where the most significant dangers are. An excellent place to start is by downloading and studying the NIST Guide for Conducting Risk Assessments.
An assessment starts with a risk model, identifying the factors to consider. Then, it lists the vulnerabilities and threats to look for. Vulnerabilities aren't limited to IT security issues; they include organizational and human factors. For example, poor communication and untrained employees count as vulnerabilities.
It's necessary to assess risks at all levels. At the organizational level, decision-makers set policies and establish communication channels that affect the risk level. At the level of business processes, the effectiveness of safeguards and attention to policies may increase or decrease the risk. For example, information systems may have robust security measures or dangerous gaps in data protection. An assessment determines how serious the risks are at each level and what their impact would be.
Risk assessments aren't just a one-time action. Instead, they should be performed regularly, considering changes that introduce or mitigate dangers.
Assessing cybersecurity risk requires identifying both technical and human issues. On the technical side, strong security measures and frequent backups are critical. At the same time, risk reduction requires people to be aware of the risks and know how to avoid them. A security culture is as important as a firewall in protecting information systems from cybercrime and other threats.
Training and evaluation help ensure people have the necessary knowledge and habits. For example, they should understand strong passwords, phishing scams, and safe browsing. In addition, unannounced tests, such as sending out a simulated email phishing message, help to measure employees' security habits.
Employees should be encouraged to double-check when they receive dubious communications. For example, a message which appears to come from a supervisor or customer may be bogus, and people who receive suspicious messages should be encouraged to verify their authenticity.
Technical methods can limit exposure to harm by human error. Following the principle of least privilege limits the damage cybercriminals can do. People should have only the permissions they need to do their work. Even administrators should use accounts with limited privileges when doing normal work. They should use their administrative accounts only for tasks that require them.
Shadow IT uses unauthorized hardware and software, a chronic problem in many organizations. Components not in the IT inventory that have yet been verified are likely to introduce risks. Organizations with strict security have to ban anything that doesn't go through an approval process. In other organizations, a certain amount of flexibility and informal approval may be better. The important thing is to know what's going on and keep it under a suitable level of control.
It's hardest to manage risk when things change abruptly and fundamentally. That happened in 2020 with the coronavirus pandemic. Businesses are, wherever possible, letting their employees work remotely. Where people are still in their workplaces, they're keeping a distance from each other and not holding in-person meetings. Criminals see this as an opportunity to exploit the problems the new arrangements create.
The Computer Security Resource Center has created a downloadable Guide for Enterprise Telework, Remote Access, and BYOD Security. It predates the pandemic but has a lot of applicable advice.
The supply chain may experience disruptions. Updates and notifications might not happen as reliably as in normal times. Communication can break down.
Allowing outside access to a company's networks creates potential problems. Employee-owned machines are outside the direct control of the IT department. They hold applications that may cause data security risks. Some probably have malware on them. It may be worth offering free anti-malware software to all employees. Badly outdated systems, such as Windows XP, should be denied access.
Network segmentation will reduce the risk of remote access. All outside access should go to a subnetwork with limited access to the rest of the network. The subnetwork should be monitored for cyber threats. Remote employees should access company systems through a VPN, using multifactor authentication.
IT people who work remotely may not be able to provide cybersecurity services. For example, employees can't check as quickly if a message is legitimate or is a scam they should ignore. The information-security officer needs to make sure people can communicate about such issues.
Reminding employees to be risk-aware and providing them with the tools to maintain secure access will help to protect a business's valuable assets.
Every business has a different risk situation. Management needs a risk assessment to determine what is vulnerable and needs protection. Then, security policies and training are necessary to avoid mistakes. Finally, information systems require constant attention.
Remember that risk management is as much a people issue as a technological one. Everyone has a part to play. When every employee is committed to protecting sensitive information, the chance of data breaches and downtime is much smaller.
Verification is important. You need to ensure that your people and machines effectively reduce risk.