Cybersecurity risk management is a critical topic for small businesses, mid-sized businesses, and enterprises. Cyber attacks against U.S. businesses are growing substantially every year. In fact, businesses in almost all industries and sectors are seeing a year over year increase in cyber threats that result in breaches of sensitive data. Unfortunately, you probably don’t have an unlimited budget for your information security program. That’s where cybersecurity risk management comes in. Conducting a risk assessment then building logical business processes and IT security controls to effectively manage your most critical risks. The risk assessment enables you to reduce your risk by deploying your assets to manage the most critical threats to your most sensitive data. There’s no such thing as being 100% risk-free, so building a smart risk management strategy is critical to prioritizing the threats you must mitigate and the assets to protect.
Risk Management is about using your budget and time to protect your most valuable assets and minimize the chances that a catastrophic data breach occurs. Building an effective risk management process is critical for meeting regulatory compliance, mitigating risk, and preventing cybercriminals from compromising your organization’s information security program.
What is Cybersecurity Risk Management?
To understand cybersecurity risk management, we first need to understand the basic equation for risk.
Risk = Threat x Vulnerability x Loss.
This basic formula should inform your cybersecurity risk management and information security program. As an example:
Let’s say you have a server with minimal protection on an unsecured network. This server houses the PHI (Personal Health Information) of 2,300 people. The risk to this IT asset would be calculated by the probability that an attacker will attempt to compromise the server (high), times the vulnerability of the server (high), multiplied by the loss if the server is compromised (high). In many cases, risk managers use basic 1-10 scales to determine each of the three criteria during a risk assessment.
Cybersecurity risk management is the practice of defining an acceptable level of risk, then minimizing organizational cyber risk where possible to reach that level. Many U.S. organizations base their risk management approach on NIST 800-30 which provides a comprehensive framework for conducting risk assessments and implementing cybersecurity controls to mitigate risk. NIST stands for the National Institute of Standards and Technologies and is widely considered to be the gold standard for cybersecurity processes. So let’s start with the first step towards building your cybersecurity risk management program, a risk assessment.
Conducting a Risk Assessment
Conducting a cybersecurity risk assessment allows you to identify your information systems, and the risk to them using a standard methodology. This allows you to prioritize protecting your most valuable assets by implementing security controls on critical infrastructure and information systems that contain sensitive data. Your risk assessment should inform your strategy for IT Security going forward. Your risk assessment should include a detailed risk analysis for all IT assets and categorize potential risks to IT systems based on the threat landscape and the potential impact of a data breach. As mentioned previously, NIST 800-30 provides guidance on conducting risk assessments businesses can utilize to begin their risk assessment process.
Identify IT Assets and Sensitive Data
When conducting a risk assessment your first step should be identifying your IT assets and the types of data they hold. This step is crucial because some IT assets will hold highly sensitive data such as PHI or PII which can have serious business impacts if compromised. Other IT assets might be less critical. Also be sure to note whether you hold any data that might cause you to fall under a cybersecurity compliance requirement, such as the HIPAA Security Rule, NYDFS cybersecurity regulations or GDPR or SOC2 compliance requirements.
Understand how Information Systems are used in Business Processes
Ensure that you understand how your IT assets factor into business processes. Start with the systems that you operate within your company and have total control over and then work your way out. Some information systems may be critical for conducting payroll or invoicing customers, while others may have a more minor role. Maintaining the availability of highly critical systems is crucial from a risk management perspective. Make sure to consult stakeholders across the organization so that you get a full picture of how an IT asset is being used. Don’t assume that just because one department or another isn’t using a server or store of data that it doesn’t have value.
For the systems that operate outside of your organization focus on reviewing the contracts that you signed regarding those systems. Try to answer the following questions:
How are you notified if there is an outage?
How are you compensated for an outage or loss of service?
Will they notify you in the event that the service provider suffers a breach?
How do they back up their data?
Can you store a copy of your data locally?
Once you have cataloged your IT assets, identified sensitive data, and determined business criticality it is time to examine threats to those systems. Threats don’t necessarily have to be cybercriminals either. A flood, earthquake, or power outage can just as easily take important IT infrastructure offline as malware or a phishing attack. Managing cyber risk involves accounting for all of these possibilities, not just one.
Lastly, you want to identify the vulnerabilities of IT assets. This involves evaluating the security controls that currently protect each IT system, along with its current patching level and any known vulnerabilities that affect it. For example, you may find out that an OS you are using has a known 0 day exploit which should certainly be factored into your assessment.
Your completed risk assessment should leave you with a documented and comprehensive understanding of your IT infrastructure, vulnerabilities, threats, and the risk to each IT asset. Your next step will be to implement risk mitigation strategies using the metrics you identified during your risk assessment.
Implementing your Cybersecurity Risk Management Program
It’s time to implement your cybersecurity risk management program. We strongly recommend that you use a cybersecurity framework throughout your organization, such as the NIST Cybersecurity Framework. This is a first step though, not the last. Your cybersecurity program should focus on protecting your most valuable IT assets as part of a broader enterprise risk management strategy.
If you currently do not have a cybersecurity program, your IT/security teams should focus on implementing security measures such as authentication, firewalls, and access control on the highest risk systems first before moving to lower risk systems. Your cybersecurity program should be based on your organizational risk profile and should include at a minimum:
Incident Response Planning
Security Policies and Procedures
Appointment of a Chief Information Security Officer (CISO)
Engage an Incident Response Team (Even if you don’t need one yet)
Unsure about Managing your Cybersecurity Risk? Touchstone Security can Help
Finding a cybersecurity solution that works for your business is tough. Most offerings on the market consist of a set of rebranded tools resold at exorbitant prices. Touchstone Security is different. We will work with you to create a flexible, streamlined cybersecurity program that integrates directly with your business and provides concrete, measurable security. Our team has experience designing, implementing, and managing cybersecurity programs for dozens of Fortune 500 companies, government agencies, and businesses around the world. We are ready to help you build a competent and comprehensive cybersecurity risk management strategy.