Vendor Risk Management

What is Cybersecurity Risk and How Can You Manage It?

Melissa Stevens | January 10, 2017

This post was updated on January 27, 2020.

In the world of risk management, risk is commonly defined as threat times vulnerability times consequence. The objective of risk management is to mitigate vulnerabilities to threats and the potential consequences, thereby reducing risk to an acceptable level. When applied to cybersecurity, this equation provides a great deal of insight on steps organizations can take to mitigate risk.

In this article, we’ll propose a definition of cybersecurity risk as laid out by the risk formula, and best practices your organization can take to implement a cybersecurity risk management program that protects your critical data and systems.

What is cybersecurity risk? Threat x vulnerability x consequence

To better understand the risk formula and how it applies to cybersecurity risk, let’s first break down its component parts:

Threat

There are many threat actors out there, including nation states, criminal syndicates and enterprises, hacktivists, insiders, and lone wolf actors. These threat actors play on a variety of motivations, including financial gain, political statements, corporate or government espionage, and military advantage.

Vulnerability

Threat actors are able to launch cyber attacks through the exploitation of vulnerabilities. In cybersecurity, these vulnerabilities deal with a process, procedure, or technology.

For example, an employee may choose to exploit their familiarity with internal processes, procedures, or technology such as their knowledge of the following:

  • Everyone in their company uses the password “12345.”
  • User names consist of an employee’s first and last name.
  • Their organization is very lax on additional security controls like multifactor authentication.

This failure in both process and technology could then be exploited by said insider. And, of course, there are a number of vulnerabilities in both hardware and software that can be exploited from the outside, such as unpatched software, unsecured access points, misconfigured systems, and so on.

Consequence

The consequence is the harm caused to an exploited organization by a cyberattack — from a loss of sensitive data, to a disruption in a corporate network, to physical electronic damage. Consequences from a cybersecurity incident not only affect the machine or data that was breached — they also affect the company’s customer base, reputation, financial standing, and regulatory good-standing. These can be considered direct and indirect costs.

For instance, if your company handles a great deal of sensitive information and that information is breached for malicious purposes, you may lose a great deal of customers. This is a direct consequence. But once word spreads of this violation of your customer’s privacy, other potential customers may be wary and choose not to employ your services. This is an indirect consequence. Both direct and indirect consequences can be very costly to an organization.

Cybersecurity risk management: 4 Things to focus on

Understanding the definition of cybersecurity risk as laid out by the risk formula is helpful, but ensuring that you can properly manage this risk is another issue entirely. 

Threat actors are becoming increasingly sophisticated and vulnerabilities are constantly emerging. Consequently, it’s more a case of when — not if  — your organization is attacked. Given this fact, in addition to stringent security controls on your endpoints, we recommend that your cybersecurity management risk program also focuses on mitigating the potential consequences of a cyber attack.

Here are four best practices you can begin working on (or continue working on) today to develop a robust cybersecurity risk management program.

1. Ensure that your senior management is involved

Security has become a market differentiator in recent years. Companies will win and lose contracts because of cybersecurity alone. Furthermore, it’s difficult to get departmental buy-in without ensuring that the top individuals in your organization are supporting a push for reducing cyber risk. Therefore, it’s critical that senior executives and Board members are involved in cybersecurity and risk management conversations.

2. Identify your material data

Material data is the data you care about most. This can vary by industry or line of business to include sensitive customer, constituent, or patient information; intellectual property data; consumer data; or even the data that ensures the reliable operations of your IT systems or manufacturing capabilities.

3. Limit the number of people who have privileged access to sensitive data

When individuals in your organization, or even across your partner or third-party network, are given access to privileged information or vital data, there are several steps that should be taken to monitor and observe their behavior. 

First, identify the data that each employee has access to. Next, determine whether it’s necessary for each of those individuals to have that level of access. If access is unnecessary, put in place measures to limit access to sensitive data. Finally, it’s important to closely monitor those who have access to highly sensitive data and information, including your vendors, to ensure that the information is only used for necessary purposes. 

Learn more about the do’s and don'ts of sharing sensitive information with vendors.

4. Implement the right technology

Having the right cybersecurity risk management tool makes all the difference. An ideal system enables you to monitor both the performance of your own security program and that of your third parties in real time (or at least daily). 

With real-time monitoring, it becomes easier to keep up with today’s cyberthreats. For instance, BitSight allows you to monitor your organization's and your vendors’ Security Ratings, which gives you a good indication of overall security posture. If that number changes — for better or for worse — you’ll have a good sense of whether or not your organization may have been negatively impacted by a cybersecurity incident or if your third parties are putting adequate controls in place to protect your data and improve their security.

Mitigate your cyber risk

There’s no doubt that cybersecurity risk management is a long, ongoing process. That being said, it’s important not to get fatigued or think cybersecurity risk is something you can pass along to IT and forget about. Cybersecurity affects the entire organization, and in order to mitigate your cyber risk, you’ll need to onboard the help of multiple departments and multiple roles. Your finance team could play just as large of a role as your IT team in some areas.

More importantly, if you fail to take the right precautions, your company, customers, and vendors could all pay the price. View this guide to learn about 16 valuable, easy-to-understand cybersecurity risk KPIs that can be integrated into a dashboard for any member of an organization who wants to become more aware of cyber risk.

cybersecurity kpi

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...

READ MORE »

FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...

READ MORE »

Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...

READ MORE »

Subscribe to get security news and updates in your inbox.