Life is full of uncertainty. For businesses, the risk to their information systems is a major concern. They face threats from inside and outside, as well as the possibility of ruinous mistakes and physical disasters. Managers need to understand cyber risk and keep it under control.
"Cyber risk" means the possibility of harmful consequences resulting from failures in information systems.
These consequences include financial loss and business interruption. They include low-tech mishaps such as fires and theft, but the most difficult and potentially expensive risks come from online threats. Risk management covers not only technical issues but policies and personal actions.
Many factors contribute to an organization's risk profile. The major ones include the following:
A business needs an enterprise risk management policy and a set of practices based on it. Managing risk is an ongoing task that requires a consistent approach and regular attention.
NIST recommends a process consisting of four steps: frame, assess, respond, and monitor. These steps aren't a linear sequence but rather feed into each other:
Frame: Identify the organization's requirements and constraints. The questions to ask include: How much risk is acceptable? What kind of adversaries does the business face? What are the priorities, and what tradeoffs are acceptable?
Assess: Identify threats which the organization faces and weaknesses in its current situation. Determine what adverse impact the threats could cause.
Monitor: Determine if the response plans in place are effective. Identify new risks that arise from changing cyber threats or new technologies.
Respond: Implement specific responses to threats. Evaluate alternatives that could provide better protection instead of or in addition to currently implemented actions.
Risk isn't static. Some risks go up over time and others go down. Cyber criminals employ new strategies. Information technology changes, people adopt new devices, and software usage patterns evolve.
For example, if a company adopts videoconferencing on a large scale, it has to deal with issues like file sharing, visual and audio information leaks, and the security of the conferencing infrastructure. Risks that rarely occurred before become important. A cyber risk management policy needs to take these changes into account.
New protective technologies provide better ways to reduce risk. At one time, almost all anti-malware measures relied on "signatures," identifying bit patterns to detect malicious code. As the rate of malware production has grown, protective software has adopted methods such as behavior analysis and machine learning to catch previously unidentified attacks.
Every organization should conduct a risk assessment to get a better understanding of what it stands to lose and where the greatest dangers are. A good place to start is by downloading and studying the NIST Guide for Conducting Risk Assessments.
An assessment starts with a risk model, which identifies the factors to consider. It lists the vulnerabilities and threats to look for. Vulnerabilities aren't limited to IT security issues; they include organizational and human factors. Poor communication and untrained employees count as vulnerabilities.
It's necessary to assess risks at all levels. At the organizational level, decision makers set policies and establish communication channels that affect the risk level. At the level of business processes, the effectiveness of safeguards and attention to policies may increase or decrease the risk. Information systems may have strong security measures or dangerous gaps in data protection. An assessment determines how serious the risks are at each level and what their impact would be.
Risk assessment isn't just a one-time action. It needs to be performed periodically, taking into account changes that introduce or mitigate dangers.
Assessing cybersecurity risk requires identifying both technical and human issues. On the technical side, strong security measures and safe, frequent backups are the key. At the same time, risk reduction requires people to be aware of the risks and know how to avoid them. A culture of security is as important as a firewall in keeping information systems safe from cybercrime and other threats.
Training and evaluation help to ensure that people have the necessary knowledge and habits. They need to understand matters such as strong passwords, phishing scams, and safe browsing. Unannounced tests, such as sending out a simulated phishing message, help to measure employees' security habits.
Employees should be encouraged to double-check when they receive dubious communications. A message which appears to come from a supervisor or customer may be bogus, and people who receive suspicious messages should be encouraged to verify their authenticity.
Technical methods can limit exposure to harm by human error. Following the principle of least privilege limits the harm cybercriminals can do. People should have only the permissions they need to do their work. Even administrators should use accounts with limited privileges when doing normal work. They should use their administrative accounts only for tasks that require them.
"Shadow IT," the use of unauthorized hardware and software, is a chronic problem in many organizations. Components that aren't in the IT inventory and haven't been verified are likely to introduce risks. Organizations with strict security have to ban anything that doesn't go through an approval process. In other organizations, a certain amount of flexibility and informal approval may be better. The important thing is to know what's going on and keep it under a suitable level of control.
It's hardest to manage risk when things change abruptly and fundamentally. That has happened in 2020 with the coronavirus pandemic. Businesses are, wherever possible, letting their employees work remotely. Where people are still in their workplaces, they're keeping a distance from each other and not holding in-person meetings. Criminals see this as an opportunity to exploit the problems the new arrangements create.
The Computer Security Resource Center has created a downloadable Guide for Enterprise Telework, Remote Access, and BYOD Security. It predates the pandemic but has a lot of applicable advice.
The supply chain may experience disruptions. Updates and notifications might not happen as reliably as in normal times. Communication can break down.
Allowing outside access to a company's networks creates potential problems. Employee-owned machines aren't under the direct control of the IT department. They hold applications which may cause data security risks. Some probably have malware on them. It may be worth offering free anti-malware software to all employees. Badly outdated systems, such as Windows XP, should be denied access.
Network segmentation will reduce the risk from remote access. All outside access should go to a subnetwork with limited access to the rest of the network. The subnetwork should be monitored for cyber threats. Remote employees should access company systems through a VPN, using multifactor authentication.
When IT people work remotely, they may not be able to provide cybersecurity services as efficiently. Employees can't check as easily if a message is legitimate or is a scam they should ignore. The information-security officer needs to make sure people can communicate about such issues.
Reminding employees to be risk-aware and providing them with the tools to maintain secure access will help to protect a business's valuable assets.
Every business has a different risk situation. Management needs to start with a risk assessment to determine what is vulnerable and needs protection. Security policies and training are necessary to avoid mistakes. Information systems need constant attention.
Remember that risk management is as much a people issue as a technological one. Everyone has a part to play. When every employee is committed to protecting sensitive information, the chance of data breaches and downtime is much smaller.
Verification is important. You need to make sure that your people and machines are effective at risk reduction.