Risk is inevitable, whether it is business risk, financial risk, risk to life or the personal decisions that we make everyday. And now we have cybersecurity risk. Cybersecurity has become an important aspect of business strategy and even a boardroom topic. In this post we will learn all about cybersecurity risk management and controls. Image by Freepik We cannot see the future and know the exact risk that will befall us. That’s why we have a whole industry to take care of it! Insurance. However, we can anticipate and prepare for risk and act when we encounter it. We should be asking questions like: What will be the impact of that risk? How do we assess or analyze potential risk? How do we measure or quantify risk and its impact? How do we plan for risk? What kind of decisions can we take about risks? All this is applicable in business and also for cybersecurity risk. In the context of cybersecurity risk technology leaders must be prepared to answer these questions. They also face these questions from board members, promoters, investors, analysts and media:
- What’s your Risk Appetite?
- What’s your Risk Tolerance?
- What’s your Risk Quotient?
- What’s your Risk Management or Risk Mitigation strategy?
Before we get to all this, let’s review the definition of Risk.
According to (ISC)2 Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event.
Risk is often expressed as a combination of:
-
- The adverse impacts that would arise if the circumstance or event occurs, and
- The likelihood of occurrence.
Likelihood of occurrence depends on the environment or the situation on ground. A mission critical business such as a bank or a data center will take all precautions. So the likelihood of risks such as theft of money (bank) or power failure (data center) are low. Impact: It is the magnitude of the harm that can be expected to result from the consequences of a cyberattack, unauthorized intrusion, data theft/breach, loss of information, information system unavailability, credential theft, or physical security violation. Having said that, there are still unforeseen risks like natural disasters or wars that can impact business. So in that sense, risk cannot be zero, although it can be mitigated through certain actions. What kind of cybersecurity risks can a business face?
Cyberattacks are a common occurrence and an organization typically faces multiple cyberattacks on a daily basis. The attacks could be malware, ransomware, denial of service/botnet attacks, data theft, insider threats, website defacement, credential/identity theft, phishing attacks and more.
The risk and impact to business as the possible consequences of cyberattacks could be: unavailability of services (and dissatisfied customers), loss of reputation, loss of customers, lower credit ratings and market value, and loss of revenue. Let’s be clear about some important and relevant cybersecurity terms before we delve deeper into risk discussions. Asset: Something valuable that’s owned by an individual or the organization that needs protection. It could be a physical asset (server, laptop, router) or an information asset like data or intellectual property. Vulnerability: An inherent weakness, gap, flaw, or defect in a system, process or software (bug). The vulnerability may be discovered by a researcher or hacker who could then either exploit it to get unauthorized access to an information system – or disclose it to the organization or software developer (vulnerability disclosure). Threat: Someone or something that attempts to exploit a vulnerability to gain unauthorized access to data, intellectual property or information assets. On gaining access they may try to steal credentials or data, or to cause physical damage, or encrypt everything in the storage (ransomware), or try to make the information systems unavailable to customers and employees (DDoS attack). Threat actor: A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause damage or disruption to computers, devices, systems, or networks. Threat vector / attack vector: A pathway or method used by a threat actor to illegally access a network or information system by trying to exploit a system vulnerability.
In the next part of this post I will show you how to manage risk and what kind of actions you need to take to deal with risk.
To comment on this post write to the author at: [email protected] Reference: (ISC)2 course material for the (ISC)2 CC course. DIGITAL CREED is an initiative by technology journalist Brian Pereira