Risk management is a concept that has been around as long as companies have had assets to protect. The simplest example may be insurance. Life, health, auto, and other insurance are all designed to help a person protect against losses.
Risk management also extends to physical devices, such as doors and locks to protect homes and vehicles, vaults to safeguard money and precious jewels, and police, fire, and CCTV to protect against other physical risks.
As data and IT infrastructure become more valuable by the day, cybersecurity risk management is increasingly important for enterprises with a steep cost for noncompliance or extensive, unaddressed vulnerabilities. This article looks at cybersecurity risk management, establishing a risk management system, and best practices for building resilience.
What is Cybersecurity Risk Management?
Cybersecurity attacks can compromise systems, steal data and other valuable company information, and damage an enterprise’s reputation. As the volume and severity of cyber attacks grow, the need for cybersecurity risk management grows with it. IT departments rely on a combination of strategies, technologies, and user awareness training to protect an enterprise organization.
Cybersecurity risk management takes the idea of traditional risk management and applies it to digital systems and infrastructure. It involves identifying your risks and vulnerabilities and using administrative actions and comprehensive solutions to ensure your organization is adequately protected.
Setting Up Your Risk Management System
What IT Assets Need Protection?
Before setting up a cybersecurity risk management system, the enterprise must determine what assets it needs to protect and prioritize. As the National Institute of Standards and Technology (NIST) points out in its Framework for Improving Critical Infrastructure Cybersecurity, there is no one-size-fits-all solution.
Maintaining Regulatory Compliance
Different organizations have different technology infrastructures and different potential risks. Some organizations, such as financial services firms and healthcare organizations, have regulatory concerns in addition to business concerns that need addressing in a cybersecurity risk management system. Cybersecurity should follow a layered approach, with additional protections for the most critical assets, such as corporate and customer data. Remember that reputational harm from a breach can damage more than the breach itself.
Documenting and Implementing Procedures
Citrix recommends that organizations have fully documented and implemented all activities that may create cybersecurity risks. Corporate cybersecurity programs must employ industry-leading practices in line with ISO 270001/2. Typical programs include hardware and software implementations with change management oversight and non-production testing and evaluation.
Risk Management Process
Start with a cybersecurity framework developed from each area of the business to determine the company’s desired risk posture.
Mapping Environment Data
Guidance Software recommends using new technologies to find and map data across the enterprise. Once data gets mapped, organizations can make decisions on how to govern specific data or systems and reduce their risk footprint.
For example, even with training and strong security culture, sensitive information can leave an organization simply by accident, such as data stored in hidden rows in spreadsheets or included in notes within employee presentations or long email threads. Scanning the enterprise for sensitive data at rest and then removing any data stored where it does not belong dramatically reduces the risk of an accidental loss of sensitive data.
Applying the Capability Maturity Model and
Deloitte recommends that the risk management process follow the Capability Maturity Model (CMM) approach, with the following five levels:
- Initial: the starting point for the use of a new or undocumented repeat process
- Repeatable: process documented sufficiently for repeat attempts
- Defined: the function is defined and confirmed as a standard business process
- Managed: the process uses quantitative and agreed-upon metrics
- Optimizing: process management includes deliberate process improvement
Clients can use their findings to determine a baseline for their current risk posture and what the enterprise needs to do to move from the current state to the desired state of risk exposure. As long as proactive steps get taken to understand potential risks, there will be less likelihood of risk exposure and falling victim to a cybersecurity incident.
Read more: Top Database Security Solutions for 2022
Deloitte also recommends doing a risk-reward calculation and prioritizing network security enhancements that will provide the most significant improvements at the lowest cost. Some enterprises may be comfortable with 99 percent of all security upgrades. Others will want to be closer to 100 percent, particularly in regulated industries.
A Mature Risk Management System Takes Time
There should be incremental steps and goals (i.e., 5 percent improvement within six months) that are measurable to determine if the enterprise is progressing toward its planned cybersecurity risk posture. However, even minor security vulnerabilities can lead to significant losses if network systems are vulnerable to intrusion from an unimportant area, where unauthorized entry can lead to more critical and sensitive systems and data.The only way to make a system 100 percent secure is to ensure it isn’t accessible by anyone, which is impractical at best. The more locked down a system is, the harder it may be for authorized personnel to conduct business. If authorized users cannot access the systems or data they need to perform their jobs, they may look for workarounds that could compromise systems.
Risk Mitigation Steps
Among the cybersecurity precautions to consider:
- Limiting devices with Internet access
- Installing Network Access Control (NAC)
- Restricting access to admin credentials and the control rights for each administrator
- Automated patches for operating systems
- Limits for older operating systems (i.e., Windows XL or older; OS no longer supported)
- Firewalls to monitor and block malicious traffic
- Anti-virus programs and endpoint security
- Requiring two-factor authentication to gain access to specific files and systems
- Evaluating the governance structure to ensure checks and balances
- Limiting administrative privileges
Enhancing Risk Management
Encryption is not a new feature in databases, but today’s encryption capabilities require more to protect data from cybercriminals and insider threats. These features include granular role-based access, standards-based cryptography, advanced key management, granular separation of duties, and state-of-art algorithms that drastically decrease exposure.
Though data encryption is helpful against outside breaches, it does little to protect against internal data theft. Insiders with access to sensitive data will necessarily have the credentials to decrypt it. Companies must also guard against data removed from enterprise systems through removable media such as thumb drives and other means (see Top Full Disk Encryption Solutions of 2022).
Companies need to balance data protection with the ability to share it. Redaction enables companies to share information with minimal effort by concealing sensitive information, like names and social security numbers, from queries and updates.
While redaction is essential, companies need to do it based on an employee’s role at the element or property level. Companies also need to be able to implement custom and out-of-the-box rules.
The Human Element
Beyond the technology precautions themselves, ongoing training and education about security threats are essential. Many hackers have moved beyond Trojans, viruses, and other malware to phishing and spear-phishing, targeting those with administrative rights and individuals to access executable files containing malware or provide credentials or sensitive personal or corporate data.
NIST recommends including cybersecurity information in company policies for company employees and business partners to know what is and what isn’t acceptable.
Just being on the Internet exposes an enterprise to cybersecurity risk. External and internal attempts to compromise an organization’s data occur regularly. So incident response plans should be in place to determine what actions to take if specific security incidents arise. Increasing hacker attempts at the enterprise or in the company’s industry mean heightened precautions would be wise.
Need for Incident Response Plan
If an actual breach occurs, the enterprise should have detailed plans to notify inside and outside the company, contact information for law enforcement, business suppliers, and customers, an action item checklist, public relations response, etc. NIST offers a comprehensive incident response action plan.
Cybersecurity Solutions and Risk Management Services
Ideally, an organization will develop a comprehensive security posture that includes a combination of technologies such as firewalls, endpoint protection, intrusion prevention, threat intelligence, and access controls. To get there, organizations might want to consider risk management services for a comprehensive assessment and solution recommendations to maximize their security budget.
Several firms offer comprehensive risk management services. Among them:
- Booz Allen Hamilton
- Hewlett Packard Enterprise
Ongoing Development and Progress
Cybersecurity risk management is an ongoing process, something the NIST Framework recognizes in calling itself “a living document” intended to be revised and updated as needed.
Once an enterprise conducts its original risk assessment and advances from the current to the desired risk posture, regular, periodic inspections are essential to look for new vulnerabilities and threats and address findings to maintain its risk posture at the desired level continually.
This article was originally published on March 31, 2017, and updated by Sam Ingalls on February 13, 2022.