Cybersecurity should always be a paramount consideration when businesses horizon scan current and future risks. There are lots of articles relating to large organisations falling foul of regulatory and legal requirements, particularly relating to customer data and loss in service. This invariably results in financial penalties and impacts the standing and reputation of the organisation.
Cybersecurity unfortunately does not stop at having good endpoint security, firewalls deployed, or maintaining good compliance; these are just a subset of technical controls. In today’s interconnected world of networks, involvement with third party networks, multi-cloud connectivity, flexibility to use users’ own devices, and with the recent work-from-anywhere business model having been adopted worldwide, the threat landscape has increased dramatically. With the accepted assume-breach mindset, managing risks to the organisation’s assets should be top priority.
Risk management is not a static target and is constantly moving. It is the process of assessing, analysing, prioritising, and making a strategy for mitigating threats and managing risks to an organisation’s assets, repute, and financial status. It should underpin any organisation’s approach to cybersecurity controls.
Having a mature risk management process ensures the controls are relevant and appropriate, and that the collective costs towards implementing and managing the safeguards or controls never exceed the value of the assets being protected. Introducing new control(s) to mitigate an identified risk also need careful consideration as doing so can turn out to be a risk if not configured correctly. For example, a firewall (one that is not hardened) introduced to a network with its administrative telnet port enabled is a security risk as it does more harm than help.
Risk Management should be an ongoing opportunity to understand key assets across an organisation with vulnerabilities and threats against those assets being fundamental. Risk Management helps businesses understand their key assets that require control measures implemented, aligning the controls to protect the customer consuming those services and protecting the business by maintaining optimal operations and uptime.
What does this mean?
So, what is meant by these terms, here is a quick glossary. An asset is anything with value to the organisation. The threat is anything that has potential danger, this could be threat from hackers, ransomware, or social engineering for example. A vulnerability is a weakness that exists, an example could be open ports with vulnerable services or a lack of network segmentation.
An organisation’s controls have three categories to consider, Administrative, Logical/Technical and Physical. Administrative controls are composed of policies, procedure relating to aspects like onboarding/offboarding, network policy and acceptable use policy. Logical/Technical controls are constituted of firewalls or intrusion detection systems for example. Then there are physical controls to consider, these consist of Doors, Mantraps and CCTV. These lists are not exhaustive.
Risk Management can be conducted in two ways, qualitatively and quantitatively. Qualitative risk analysis defines how likely and dangerous the risk would be if it were to happen; it can be quite subjective and past experiences can play a key role.
Quantitative risk analysis focuses on attributing an objective monetary value to protecting the asset from risks; it is based on financial impact to business. Both approaches will require engagement with business system owners to help understand the criticality of that asset to the business.
Conducting Risk Management
By conducting risk management analysis will allow a business to ensure the controls that are in place are proportionate to the threat and loss of that asset. Let us take for example some web services that are published externally to the public, what is the impact to the business if those assets are compromised through a ‘denial-of-service attack’ for example. Are the control measures in proportion to the service loss.
You will need to consider factors like customer facing services holding PII (Personal Identifiable Information) and the financial and reputation impact of that data being compromised or not available.
When referring to information a business should always consider the CIA model, Confidentiality, Integrity, and Availability. Confidentiality is protecting the asset from unauthorised disclosure; integrity is protecting the data asset from unauthorised changes and availability is about making sure data is available when required. In this instance if the web services were compromised by a ‘denial-of-service attack’, the availability part of the triad would not be met.
NIST Risk Management Framework
Management of risks of all critical assets is time-consuming and requires a great deal of due diligence from a diverse set of stakeholders. Therefore, adopting the NIST Risk Management Framework is highly recommended.
For example, the involvement of the asset owner right from the point when risk to their asset is identified through to the stage of implementing and assessing technical control(s) to mitigate the risk is not only important but cannot be disregarded. It brings about transparency and accountability to the process, which ultimately helps senior management to authorise the implemented controls and be aware of the organisation’s cybersecurity related procedures.
Cyber Security Measures
The options for cybersecurity measures are extensive and could include, SIEM, SOAR, Data Loss Prevention solutions, Intrusion Detection systems, but being objective about the risk and therefore threats will help make the cybersecurity posture proportionate and effective. It is important that the decisions on what to do with risks are also well informed. Does a business transfer that risk, mitigate that risk, accept that risk or avoid that risk are the decisions to make.
One of the biggest threats to a business is the “insider threat” i.e., internal to your organisation. This could be a disgruntled employee or negligible behaviours by an employee when using the business systems. These threats can be countered by having effective awareness training and employees understand the landscape of threats.
Some of the insider threat can also be mitigated through job rotation, mandatory holiday, separation of duties or least privileged (need-to-know) controls. Risk should consider supply chain, insider threat and understand what is important to the operation of the business and the most valuable assets.
What do you need to do next?
In summary, cybersecurity is not just about investing in bleeding-edge technology with Machine Learning or Artificial Intelligence capabilities. Cybersecurity is very nuanced and must even consider how effective your user awareness training is by educating users on modern threats.
Objective risk management will inform the cybersecurity initiatives and required investment. Risk management should be strategised with the goal to reduce the likelihood and impact of risks to business operations, to continuously monitor the implemented controls and assessing them regularly, and to have the senior management’s oversight. This is especially important when it comes to risks to mission-critical assets and those with substantial financial impact.
Implementing costly technologies without understanding the risks first can be counter intuitive. So, truly understanding what needs to be secured and how to do so in a cost-effective manner, coupled with the “Keep it Simple” principle of good designs, is what organisations need to base their strategies on.
For more information about risk management and implementing a proportionate cyber security posture, get in touch with our Security and Infrastructure Team.