What is Cybersecurity Risk and How Can You Manage It?
Melissa Stevens | January 10, 2017
This post was updated on January 27, 2020.
In the world of risk management, risk is commonly defined as threat times vulnerability times consequence. The objective of risk management is to mitigate vulnerabilities to threats and the potential consequences, thereby reducing risk to an acceptable level. When applied to cybersecurity, this equation provides a great deal of insight on steps organizations can take to mitigate risk.
In this article, we’ll propose a definition of cybersecurity risk as laid out by the risk formula, and best practices your organization can take to implement a cybersecurity risk management program that protects your critical data and systems.
What is cybersecurity risk? Threat x vulnerability x consequence
To better understand the risk formula and how it applies to cybersecurity risk, let’s first break down its component parts:
There are many threat actors out there, including nation states, criminal syndicates and enterprises, hacktivists, insiders, and lone wolf actors. These threat actors play on a variety of motivations, including financial gain, political statements, corporate or government espionage, and military advantage.
Threat actors are able to launch cyber attacks through the exploitation of vulnerabilities. In cybersecurity, these vulnerabilities deal with a process, procedure, or technology.
For example, an employee may choose to exploit their familiarity with internal processes, procedures, or technology such as their knowledge of the following:
Everyone in their company uses the password “12345.”
User names consist of an employee’s first and last name.
Their organization is very lax on additional security controls like multifactor authentication.
This failure in both process and technology could then be exploited by said insider. And, of course, there are a number of vulnerabilities in both hardware and software that can be exploited from the outside, such as unpatched software, unsecured access points, misconfigured systems, and so on.
The consequence is the harm caused to an exploited organization by a cyberattack — from a loss of sensitive data, to a disruption in a corporate network, to physical electronic damage. Consequences from a cybersecurity incident not only affect the machine or data that was breached — they also affect the company’s customer base, reputation, financial standing, and regulatory good-standing. These can be considered direct and indirect costs.
For instance, if your company handles a great deal of sensitive information and that information is breached for malicious purposes, you may lose a great deal of customers. This is a direct consequence. But once word spreads of this violation of your customer’s privacy, other potential customers may be wary and choose not to employ your services. This is an indirect consequence. Both direct and indirect consequences can be very costly to an organization.
Cybersecurity risk management: 4 Things to focus on
Understanding the definition of cybersecurity risk as laid out by the risk formula is helpful, but ensuring that you can properly manage this risk is another issue entirely.
Threat actors are becoming increasingly sophisticated and vulnerabilities are constantly emerging. Consequently, it’s more a case of when — not if — your organization is attacked. Given this fact, in addition to stringent security controls on your endpoints, we recommend that your cybersecurity management risk program also focuses on mitigating the potential consequences of a cyber attack.
Here are four best practices you can begin working on (or continue working on) today to develop a robust cybersecurity risk management program.
1. Ensure that your senior management is involved
Security has become a market differentiator in recent years. Companies will win and lose contracts because of cybersecurity alone. Furthermore, it’s difficult to get departmental buy-in without ensuring that the top individuals in your organization are supporting a push for reducing cyber risk. Therefore, it’s critical that senior executives and Board members are involved in cybersecurity and risk management conversations.
2. Identify your material data
Material data is the data you care about most. This can vary by industry or line of business to include sensitive customer, constituent, or patient information; intellectual property data; consumer data; or even the data that ensures the reliable operations of your IT systems or manufacturing capabilities.
3. Limit the number of people who have privileged access to sensitive data
When individuals in your organization, or even across your partner or third-party network, are given access to privileged information or vital data, there are several steps that should be taken to monitor and observe their behavior.
First, identify the data that each employee has access to. Next, determine whether it’s necessary for each of those individuals to have that level of access. If access is unnecessary, put in place measures to limit access to sensitive data. Finally, it’s important to closely monitor those who have access to highly sensitive data and information, including your vendors, to ensure that the information is only used for necessary purposes.
Having the right cybersecurity risk management tool makes all the difference. An ideal system enables you to monitor both the performance of your own security program and that of your third parties in real time (or at least daily).
With real-time monitoring, it becomes easier to keep up with today’s cyberthreats. For instance, BitSight allows you to monitor your organization's and your vendors’ Security Ratings, which gives you a good indication of overall security posture. If that number changes — for better or for worse — you’ll have a good sense of whether or not your organization may have been negatively impacted by a cybersecurity incident or if your third parties are putting adequate controls in place to protect your data and improve their security.
Mitigate your cyber risk
There’s no doubt that cybersecurity risk management is a long, ongoing process. That being said, it’s important not to get fatigued or think cybersecurity risk is something you can pass along to IT and forget about. Cybersecurity affects the entire organization, and in order to mitigate your cyber risk, you’ll need to onboard the help of multiple departments and multiple roles. Your finance team could play just as large of a role as your IT team in some areas.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...