Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.
This post was updated on January 27, 2020.
In the world of risk management, risk is commonly defined as threat times vulnerability times consequence. The objective of risk management is to mitigate vulnerabilities to threats and the potential consequences, thereby reducing risk to an acceptable level. When applied to cybersecurity risk, this equation provides a great deal of insight on steps organizations can take to mitigate risk.
In this article, we’ll propose a definition of cybersecurity risk as laid out by the risk formula, and best practices your organization can take to implement a cyber security risk management program that protects your critical data and systems.
What is cybersecurity risk? Threat x vulnerability x consequence
To better understand the risk formula and how it applies to cybersecurity risk, let’s first break down its component parts:
There are many threat actors out there, including nation states, criminal syndicates and enterprises, hacktivists, insiders, and lone wolf actors. These threat actors play on a variety of motivations, including financial gain, political statements, corporate or government espionage, and military advantage.
Threat actors are able to launch cyber attacks through the exploitation of vulnerabilities. In cybersecurity, these vulnerabilities deal with a process, procedure, or technology.
For example, an employee may choose to exploit their familiarity with internal processes, procedures, or technology such as their knowledge of the following:
- Everyone in their company uses the password “12345.”
- User names consist of an employee’s first and last name.
- Their organization is very lax on additional security controls like multifactor authentication.
This failure in both process and technology could then be exploited by said insider. And, of course, there are a number of vulnerabilities in both hardware and software that can be exploited from the outside, such as unpatched/outdated software, unsecured access points, misconfigured systems, and so on.
The consequence is the harm caused to an exploited organization by a cyberattack — from a loss of sensitive data, to a disruption in a corporate network, to physical electronic damage. Consequences from a cybersecurity incident not only affect the machine or data that was breached — they also affect the company’s customer base, reputation, financial standing, and regulatory good-standing. These can be considered direct and indirect costs.
For instance, if your company handles a great deal of sensitive information and that information is breached for malicious purposes, you may lose a great deal of customers. This is a direct consequence. But once word spreads of this violation of your customer’s privacy, other potential customers may be wary and choose not to employ your services. This is an indirect consequence. Both direct and indirect consequences can be very costly to an organization.
Cybersecurity risk management: 4 Things to focus on
Understanding the definition of cyber security risk as laid out by the risk formula is helpful, but ensuring that you can properly manage this risk is another issue entirely.
Threat actors are becoming increasingly sophisticated and vulnerabilities are constantly emerging. Consequently, it’s more a case of when — not if — your organization is attacked. Given this fact, in addition to stringent security controls on your endpoints, we recommend that your cyber security management risk program also focuses on mitigating the potential consequences of a cyber attack.
Here are four best practices you can begin working on (or continue working on) today to develop a robust cyber security risk management program.
1. Ensure that your senior management is involved
Security has become a market differentiator in recent years. Companies will win and lose contracts because of cybersecurity alone. Furthermore, it’s difficult to get departmental buy-in without ensuring that the top individuals in your organization are supporting a push for reducing cyber risk. Therefore, it’s critical that senior executives and Board members are involved in cybersecurity and risk management conversations.
2. Identify your material data
Material data is the data you care about most. This can vary by industry or line of business to include sensitive customer, constituent, or patient information; intellectual property data; consumer data; or even the data that ensures the reliable operations of your IT systems or manufacturing capabilities.
3. Limit the number of people who have privileged access to sensitive data
When individuals in your organization, or even across your partner or third-party network, are given access to privileged information or vital data, there are several steps that should be taken to monitor and observe their behavior.
First, identify the data that each employee has access to. Next, determine whether it’s necessary for each of those individuals to have that level of access. If access is unnecessary, put in place measures to limit access to sensitive data. Finally, it’s important to closely monitor those who have access to highly sensitive data and information, including your vendors, to ensure that the information is only used for necessary purposes.
Learn more about the do’s and don'ts of sharing sensitive information with vendors.
4. Implement the right technology
Having the right cyber security risk management tool makes all the difference. An ideal system enables you to monitor both the performance of your own security program and that of your third parties in real time (or at least daily).
With real-time monitoring, it becomes easier to keep up with today’s cyber threats. For instance, BitSight allows you to monitor your organization's and your vendors’ Security Ratings, which gives you a good indication of overall security posture. If that number changes — for better or for worse — you’ll have a good sense of whether or not your organization may have been negatively impacted by a cybersecurity incident or if your third parties are putting adequate cybersecurity controls in place to protect your data and improve their security.
Mitigate your cyber risk
There’s no doubt that cyber security risk management is a long, ongoing process. That being said, it’s important not to get fatigued or think cybersecurity risk is something you can pass along to IT and forget about. Cybersecurity affects the entire organization, and in order to mitigate your cyber risk, you’ll need to onboard the help of multiple departments and multiple roles. Your finance team could play just as large of a role as your IT team in some areas.
More importantly, if you fail to take the right precautions, your company, customers, and vendors could all pay the price. As organizations who moved to remote work in 2020 look to maintain a remote workforce into 2021 and beyond, monitoring your third party attack surface is essential.