<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

Cybersecurity Risk: A Thorough Definition

Melissa Stevens | January 10, 2017

Risk is commonly defined as threat times vulnerability times consequence. This formula applies to anything that could be exposing you to danger, but when applied to cybersecurity—the unique risks individuals and businesses face as a result of using interconnected technological systems—it provides us with a great deal of insight on risk mitigation.

A Thorough Definition Of Cybersecurity Risk: Threat x Vulnerability x Consequence

Threat

There are range of threat actors out there, including nation states, criminal syndicates and enterprises, hacktivists, insiders, and lone wolf actors. These threat actors play on a variety of motivations, including financial gain, political statements, corporate or government espionage, and military advantage.

Vulnerability12 Cybersecurity Metrics

Threat actors are able to launch cyber attacks through the exploitation of vulnerabilities. In cybersecurity, these vulnerabilities deal with a process, procedure, or technology.

For example, an insider could know that:

  • Everyone in their company uses the password “12345.”
  • Usernames consist of an employee’s first and last name.
  • Their organization is very lax on additional security controls like multifactor authentication.

This failure in both process and technology could then be exploited by said insider. And, of course, there are a number of vulnerabilities in both hardware and software that can be exploited from the outside.

Consequence

The consequence is the harm caused to an exploited organization—from a loss of sensitive data, to a disruption in a corporate network, to physical electronic damage. Consequences from a cybersecurity incident do not only affect the machine or data that was breached—they also affect the company’s customer base and society in general. These can be considered direct and indirect costs.

For instance, if your company handles a great deal of sensitive information and something happens to that information, you may lose a great deal of customers. This is a direct consequence. But once word spreads of this violation of your customer’s privacy, other potential customers may be wary and choose not to employ your services. This is an indirect consequence. Both direct and indirect consequences can be very costly to an organization.

Cybersecurity Risk Management: 4 Things To Focus On

Understanding the definition of cybersecurity risk as laid out by the risk formula is helpful, but ensuring that you can properly manage cybersecurity is another issue entirely. You already know that you want to keep threat actors from accessing sensitive data—but the challenge is that many of those threat actors can be extremely sophisticated.

“Yes” or “no” questions won’t help you better understand your vendors’ (or your own) cybersecurity posture—but actionable metrics will.

For this reason, cybersecurity management comes down to the data you’re trying to protect. There are always going to be vulnerabilities and threat actors—so focusing on lessening the potential consequence is your best course of action.

Here are four best practices you can begin working on (or continue working on) today to help your security program.

1. Ensure that your senior management is involved.

Security has become a market differentiator in recent years. Companies will win and lose contracts because of cybersecurity alone. Furthermore, it’s difficult to get departmental buy-in without ensuring that the top individuals in your organization are supporting a push for reducing cyber risk. Therefore, senior executives and board members are going to have to be involved in the conversation around cybersecurity risk management.

2. Identify your material data.

Material risk does not include a run-of-the-mill cyber incident where a few records are compromised. This is a frustration—but however unfortunate, it wouldn’t make a critical impact on your day-to-day business operations. The data you care most about is your material data. Depending on your line of business, this could be a number of different things, including sensitive customer information, customer data, intellectual property, or trade secrets. It could even be the reliable operations of your IT systems or manufacturing capabilities.

3. Limit the number of people who have privileged access to sensitive data.

When individuals in your organization are given access to privileged information or vital data, there are several steps that should be taken to monitor and observe their behavior. First, you’d want to find out what every employee has access to and determine whether it’s necessary for each of those individuals to have that level of access. You would then want to limit access to those who have it unnecessarily. Finally, it’s important to closely monitor those who have necessary access to highly sensitive data and information to ensure that the information is only used for necessary purposes.

4. Implement the right technology.

Having the right cybersecurity risk management tool makes all the difference. An ideal system enables you to monitor your third parties in real time (or at least daily). Real-time monitoring is what you need to keep up with today’s cyberthreats. For instance, BitSight allows you to monitor your vendors’ and your own Security Ratings, which gives you a good indication of overall security posture. If that number changes—for better or for worse—you’ll have a good sense of whether or not your organization may have been negatively impacted by a cybersecurity incident or if your third parties are putting adequate controls in place to protect your data and improve their security.

In Summary

Yes, cybersecurity risk management is a long process, and it’s an ongoing one. You’re never “done” with it. That being said, it’s important not to get fatigued immediately or think cybersecurity risk is something you can pass along to IT and forget about. Cybersecurity affects the entire organization, and in order to mitigate your cyber risk, you’ll need to onboard the help of multiple departments and multiple roles. Your finance team could play just as large of a role as your IT team in some areas!

More importantly, if you fail to take the right precautions, your company—and customers and vendors—could all pay the price. If you need a place to start, download this free guide. It walks you through three ways you might experience a cybersecurity incident, twelve specific cybersecurity metrics you can put into place in your organization, and detailed explanations of how and why you (and your vendors) should monitor these metrics. 

Download Guide: 12

Suggested Posts

Third-Party Cyber Risk: Blind Spots, Emerging Issues & Best Practices

Recently, BitSight and the Center for Financial Professionals (CeFPro) released a joint report that explores how financial services organizations are addressing challenges associated with third-party cyber risk management.

READ MORE »

Vendor Due Diligence Checklist: 31 Steps to Selecting a Third Party

Due diligence processes for vendor procurement vary by company, industry, and region. Some regulatory bodies dictate due diligence practices, and some industry groups have adopted standardized processes. In addition, requirements may...

READ MORE »

What Are Security Ratings?

Security ratings are a data-driven, objective and dynamic measurement of an organization’s security performance. Thousands of organizations around the world use BitSight Security Ratings as a tool to address a variety of critical,...

READ MORE »

Subscribe to get security news and updates in your inbox.