CYBER RISK & RISK ASSESSMENTS

 

 Cyber risks most commonly result in a data breach and are defined as the likelihood of suffering negative disruptions to sensitive data, finances, or online business operations (Tunggal, 2022). Cyber risks are commonly caused by the introduction of: ransom ware, data leaks, phishing, malware, insider threats, and cyber attacks. Cyber risks are nothing new, and if you are in the IT field, you are in the business of risk management (Tunggal, 2022). A Cyber security Framework has been developed by the National Institute of Standards and Technology (NIST).

According to the article, “How to Perform a Cyber Security Risk Assessment,” by Abi Tyas Tunggal, cyber risks are nominally categorized from high, medium, low, and zero risk. Risk assessments are impacted by three factors:

1.     What is the threat?

2.     How vulnerable is the system?

3.     What is the financial or reputational damage if the system security is breached?

Using this information, a high level cyber risk calculation was developed:

Cyber Risk = Threat x Vulnerability x Information Value

There are multiple reasons as to why you would perform a cyber risk assessment, and not many reasons why you wouldn’t perform one. For starters, identifying and mitigating system vulnerabilities save the company money and possible reputational damage. Risk assessments, once created, can be reused, even with high personnel turnover, ensuring a repeatable process. Knowing your companies vulnerabilities gives a solid path to pinpointing where the company needs improve security. Regulatory fines can be avoided in the event of a data breach if the company has complied with HIPAA, PCI DSS, or APRA CPS 234. Risk assessment and mitigation can avoid system downtime by keeping staff and customers functioning. Lastly, data loss, trade secrets, code, and other key information can be secured by assessing risk (Tunggal, 2022).

All companies should perform a risk assessment against system vulnerabilities. Larger companies may have the security personnel in house to perform the risk assessment. Smaller companies have the option of hiring a security team or service, or to contract out his task. Essentially all businesses have a legal obligation to implement a “reasonable security posture” (Alliant Cyber Security, 2019). Risk assessments are part of this security posture.

At a high-level, these are the steps to performing a risk assessment:

1.     Determine the value of your information and limit the scope to the company’s most business-critical assets.

2.     Identify and prioritize assets, prioritize the higher value assets, and determine the scope of the assessment.

3.     Identify cyber threats and realize these are not all system level and can include: natural disasters, system failure, human error, adversarial threats, unauthorized access, misuse of information by authorized users, data leaks, loss of data, and service interruptions (Tunggal, 2022).

4.     Identify system vulnerabilities and mitigate them as much as possible.

5.     Analyze existing controls, and implement new controls through hardware, software, encryption, intrusion detection systems (UDS), two-factor authentication, automatic updates, continuous data leak detection, security policies, and physical locks or keycards.

6.     Calculate the likelihood and impact on a per-year basis for various scenarios.

7.     Risks should be calculated based on information value versus the cost of implementation (high, medium, low).

8.     Document the results from the risk assessment report to aid management in making decisions on policies, budget, and procedures.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle,” (Sun Tzu, 2017). Performing a risk assessment is an important step in knowing your companies vulnerabilities. This is an important step in developing a cyber security strategy. Companies that do not have a risk assessment do not truly know themselves, or their vulnerabilities, and therefor can more easily be compromised and attacked.

 

References

Cyber security risk: What does a "reasonable" posture entail? Alliant Cyber security. (2019, October 18). Retrieved March 16, 2022, from https://www.alliantcybersecurity.com/cybersecurity-risk-what-does-a-reasonable-posture-entail-and-who-says-so/

Tzu, S. (2017). The Art of War. Tuttle Publishing.

Tunggal, A. T. (2022, January 23). How to perform a cyber security risk assessment: UPGUARD. Cyber security. Retrieved March 23, 2022, from https://www.upguard.com/blog/cyber-security-risk-assessment