In 2020, many organizations pivoted their business models due to the pandemic. If you're one of these companies, you may have developed new processes and procedures that allowed you to safely continue operations and maintain high customer service levels. Now that the dust has begun to settle, it is an excellent opportunity to evaluate or reevaluate any new cybersecurity risks that could have been created by these changes. In this article, we offer practical guidance on how to classify and measure your cybersecurity risks for effective cybersecurity risk management.
Modern Technology Risks
Before the days of the cloud (pre-2008), technology risks were generally associated with a physical facility disaster like a fire, flood, or nor'easter. Since everything lived within the company's four walls (servers, files, applications, etc.), an event like a building fire could mean absolute devastation. To mitigate that risk, appropriate controls were put in place for the situation, such as off-site backup tapes (air-gap solution) and disaster recovery centers.
Fast forward to the the cloud era, risks and disasters today look very different for organizations. These highly disruptive events come in many different forms, including theft, ransomware attacks, social engineering, major internet outages, and, most recently, the pandemic. On top of that, we're seeing state-sponsored actors and pandemics actively threatening businesses of all sizes. These disasters look different, and the likelihood of one occurring is much higher than ever. In many cases, these risk could have been avoided or mitigated with proper planning.
Approaching Risk Management
It's important to have a thorough understanding of risk and the potential impact it can have on your business. At a high level, there are four ways you can classify and address risk.
1. Accept – Don’t do anything.
Decide it is a tolerable risk, but make sure its a fully informed decision.
2. Avoid – Eliminate risk.
For example, don’t allow remote access since it is too risky. You can also consider not getting into a particular line of business entirely, i.e., deciding not to take on hospitals as customers because HIPAA regulations are too costly and the risk of non-compliance is too high. Risk avoidance is typically the most expensive path.
3. Transfer – Give risk to a willing 3rd party.
Transfer risk to another 3rd party (Payroll service, Cyber/E&O/GL Insurance) that only protects a specific data type. Be aware that you're not transferring all of your responsibility. It should be part of your due diligence to ensure the third party provider is doing their part to properly secure and backup data in the event of a failure or breach.
4. Reduce – Put technology controls in place.
This is where Systems Engineering prefers to focus. We find ways to help businesses enable their employees to work in the most efficient and secure manner possible. To accomplish this, organizations need to blend the right mix of technologies, policies, and training that reduce associated risks to an acceptable level.
How to Measure Your Cybersecurity Risks
Once you've classified your risks, it time to take inventory of all the cybersecurity or disaster events you can think of, and rank them against business priorities. We put together a sample “Acceptable Risk” chart to outline what this type of exercise might look like in a typical organization.
1. Take Inventory of all risks.
Write down every event that threatens your business you can think of in one column. This can be done as a simple in-house whiteboard exercise.
2. Score your risks.
Give the risks you've identified a score. In this example, we used a scoring scale of 1 to 5, with 5 being the most impactful. Score the likelihood of the event happening along with the perceived impact the event would have on your business.
2. Calculate your overall risks.
Once each risk is listed out and scored, a simple formula can be applied to calculate the overall risk:
Calculate Acceptable Risk:
Likelihood x Impact = Risk
This type of scoring system gives you a way to measure cybersecurity risks and identify what is acceptable and what needs addressing. Using an exercise like the above is an essential step in determining acceptable risk levels within your company for each identified event.
Click Template to Download PDF
Risks are always evolving, so doing an acceptable risk exercise should not be a one-time event. There may be risks that were not initially considered, or a major company procedure may have changed since your last session (moving files from an on-premises server to the cloud). If you would like to try this exercise to assess your own company risks, we created a downloadable Acceptable Risk chart to use as a guide in your own whiteboarding session.
If you have any questions on the process for identifying and scoring your cybersecurity risks, please reach out to your Systems Engineering Account Manager, or email us at firstname.lastname@example.org.
After you have identified and scored your cybersecurity risks, the logical next step is to address them. Take a look the framework we use to help organization's address and reduce their cybersecurity risks and vulnerabilities.
Brad Sprague is the leader of Systems Engineering's Account Managers. Since 2003, he has worked closely with clients to develop their strategic plans, multi-year budgets, and IT support plans.