Last week we kicked-off our two-part series “The Why & How of Cybersecurity Risk Management.” This series is intended to review how small to medium-sized businesses (SMBs) can reduce exposure to cyberattacks through Cybersecurity Risk Management. Part one looked at practical ways to address and measure acceptable risk. In part two, Erik Thomas, Leader of Advisory Services at Systems Engineering, walks through a framework for addressing and reducing cybersecurity risks and vulnerabilities in your organization.
In this blog, we will discuss:
WHERE TO BEGIN
When an organization begins the process of addressing and reducing risks and vulnerabilities, the thinking usually jumps to the logistics of what to do. A quick outline of the steps to take would look like this:
- Assess & communicate risk
- Put risk decision making where it belongs (within organization)
- Make informed decisions
- Reevaluate risk (do it again)
The problem with these steps is most people aren't sure about where to start. We find that there is a lot of confusion around the topic of cybersecurity. If we ask 10 people what they believe is the right way to do a cybersecurity risk assessment, we will get 11 different answers. Most of which are some version of “I don’t really know where to start!”
“It won’t happen to my organization”
The confusion around cybersecurity stems from an organization's perception of risk, or better stated misperception of risk. This is especially true for an SMB that has NOT been hit by a cyberattack or has no first-hand knowledge of a company that has. It is not that companies today are unaware of the risks in play; it is the perceived likelihood of the event happening to them, leading to inaction or complacency. When referring back to our previous blog (pt.1) that looks at how to calculate risk: Risk = Likelihood x Impact, we see that minimizing the likelihood of an event happening will have a great impact on how that risk is perceived.
Once an organization has the displeasure of experiencing a security event, their understanding and appreciation of likelihood and impact are greatly influenced. A quote I once read by David Friedberg, a Silicon Valley entrepreneur, gives us insight as to how we can work to reduce this problem with our perceptions influencing our risk equation, namely focus on data.
“What is risk? Risk is uncertainty about the outcome. The less data you have, the more uncertainty you have about the outcome.” – David Friedberg
When a company gains a better understanding of actual risk, in essence they have the ‘data’ needed to make informed decisions. This is a much better practice than relying on gut feelings or misperceptions of risk. So, what is important to understand about cybersecurity risks? There are three key questions to ask:
CHALLENGES TO RISK ASSESSMENT
When it comes to assessing and understanding risk, there are many challenges to overcome. The biggest hurdle for most SMBs is where to start.
Do you start by picking a security framework? There are many to choose from depending on your industry (e.g. NIST CSF, NIST 800-171, CMMC, Soc 1 or 2, HIPPA, PCI, CIS, HITRUST, FFIEC), and all of them are about 80% the same. These are a very good starting point for understanding the set of controls you should deploy (what am I doing, what am I not doing), and focus on industry compliance, but can’t possibly cover all the cybersecurity risks that need to be managed.What skill sets are needed to read and understand these frameworks? It is a challenge to follow what compliance factors need to be met and how to relate that to your environment. Also, the various skill sets needed to login to the network or cloud environment to run scans, review configurations and system design, and then interpret the results can be highly specialized.
How do you successfully communicate risk? Once risks are identified, it can be hard to understand what the cybersecurity impact is on an organization. Internal IT can have a hard time conveying the business impact of risk when asking for budget and resources from leadership. And conversely, it can be difficult for leadership to making budget decisions without fully appreciating the cybersecurity impact on risk.
THE CHALLENGE OF RISK COMMUNICATION
When looking at an organization and how it relates to risk, the area of responsibility can be grouped laterally. At the beginning of the line is the technology. This is everything that makes up a network, such as laptops, applications, firewalls, cloud, etc. Next, are the people that interact with this technology, such as clients, employees, administrators, who follow procedures to help them interact with the technology. These two areas are where cybersecurity threats and vulnerabilities lie.
Moving further away from technology we find governance and policy. These are the frameworks that an organization has adopted to place guardrails on what we do and don’t do with technology, data, people, and process. Next in line is the management, leadership, budgeting, and planning. In recent years, cybersecurity risk decision making has expanded to an organization's board of directors and ownership. This was not the case a couple years ago, which highlights the evolving level of concern for cybersecurity risk management among business leaders. When it comes to cybersecurity risk management, these are the areas that all the risk decision making happens.
The challenge with the arrangement is that attackers are trying to infiltrate and exploit the systems and staff in a completely different area then where the cybersecurity decisions are being made. This visualization demonstrates the need to communicate a great deal of information on threats and vulnerabilities to the decision makers within an organization. This is where the risk decision making belongs.
It should not be left with IT alone to decide the acceptable level of risk for your organization.
RISKS TO RISK MANAGEMENT
We have already looked at the challenge of knowing where to start with risk management, and now we need to look closer at the issue of inaction (or complacency) due to the misperception of risk. Many times, this can be due to assumptions and misinformation coming from a company's own IT staff. While this may be communicated with the best of intentions, it is no less a possible risk to an organization. Some of the assumptions we frequently hear from management are:
Just because it's getting done, is it being done well?
When handling an auditor, a company is not typically going to show auditors all their cards, asking auditors to log into their systems to judge the health of their back-end systems, nor do auditors typically possess the skillsets to do so. Companies are usually just trying to get through the audit unscathed.
As mentioned earlier, the third piece of key data needed to understand risk is to ask, “What am I not doing?”
Here are a few statements I have heard first hand of misinformation given by IT when leadership asked the question, “How secure are we?”
This is not good answer. It assumes that it is possible to be 100% secure, which is not attainable. There really isn’t even a finite set of questions that could be asked to completely cover security which would give a percentage score.
This is not exactly true, in nearly all cases when a software or service is outsourced you still have some responsibilities to ensure the integrity and security of your data. For instance, your Software-as-a-Service application provider surely can’t be responsible for knowing you have just terminated an employee and need their access revoked.
EXPECTATIONS OF A RISK ASSESSMENT
Since taking on the topic of cybersecurity risk management a few years ago at Systems Engineering, we have been pouring a lot of thinking and effort into the way we talk about and consider risk. We’ve had many interactions with organizations directly after they have become a victim of a cybersecurity incident. This experience, along with thematic questions from the victims, has helped us formulate what we believe should come out of a cybersecurity risk assessment. Here is a list of four topic areas you can expect to learn from Systems Engineering's Cybersecurity Risk Assessment.
What needs to be done to minimize the chance of another cyberattack.
What areas of IT (e.g., cloud, applications) have no direct management assigned? These oversights create opportunities for neglect and subsequent risk.
Assignment of objectives and prioritizing of risk findings in a meaningful way. Often IT people will work to remediate the problem areas they are good at fixing or interested in, but that doesn’t necessarily mean those are the places you should start.
Ensure decision making falls in the right area of an organization. Then take action on those decisions.
RESIDUAL RISK ASSESSMENTS
We have already looked at the challenges, risks, and expectations of cybersecurity risk management. It is important to now review is the idea of residual risk and how it relates to a cybersecurity risk assessment. To be clear, a cybersecurity risk assessment is not an audit; but an in-depth review of what’s going on in your environment and to highlight areas of concern. A good example would be the area of server backups. An assessment would uncover answers to questions such as:
- Are backups being done properly?
- Who is supposed to be doing them?
- Is everything that should be getting backed up actually being backed up?
- Are server backups failing without sending an alert?
Questions like these are reviewed in over three dozen areas within a cybersecurity risk assessment. An assessment is not meant to replace or cover every single security framework, but the assessment is derived from these frameworks, along with lessons learned from various environments. What’s important to come away with is an understanding of where you are, and what your residual (remaining) risks might still be.
A good way to understand residual risk is to once again look at server backups. In the risk calculation of Likelihood x Impact, the risk is data loss and downtime. In most cases, the likelihood for data loss at the server level is high. This is evident from the high occurrences of ransomware, hardware failures, human error (deleting files), and insider threat.
As for the impact of data loss, it’s not a stretch to assume that most of the data being backed up is sensitive and highly important to an organization, therefore we have a high impact value. So, when considering this data loss risk scenario we have high likelihood x high impact = high risk.
Of course, now we need to factor in the process of nightly (or hourly, etc.) server backups. This action of backups is the control you have deployed to mitigate (minimize) the initial risk of data loss. This does not mean that the backups are being done properly, as we find in the vast majority of assessments performed. We typically find failing backup routines as well as systems that were neglected were meant to be added to backup schedules long ago. If we have a high initial risk and we have a poorly implemented control (backups,) we have not removed much risk from the equation, therefore we’re left with a high residual risk. Residual Risk = Risk – Control. The high risk of data loss, minus the backup control (being done poorly), still equals high residual risk that needs to be addressed.
Overall, the purpose of a cybersecurity risk assessment is to better inform an organization about possible threats, vulnerabilities, and residual risk. The goal is to enable better risk management decisions to defend sensitive and critical cyber assets. Many SMBs have been asking questions around the topic of cybersecurity. This two-part series is our attempt to answer the popular questions of, “Is our organization secure,” and “How secure are we?” Keeping your business secure is critical to its success and we strongly recommend every organization conduct a Cybersecurity Risk Assessment. If you would like to learn even more, download our comprehensive Cybersecurity Risk Assessment eBook.
If you have any questions on the process for addressing and reducing cybersecurity risks and vulnerabilities in your organization, please reach out to your account manager, or email us at firstname.lastname@example.org.
Erik Thomas leads the Advisory Services group at Systems Engineering. Erik has over a decade of experience with IT, application development, and business operations. His group assists clients with the planning and implementation of IT systems, business development, cybersecurity risk assessments, and addressing regulatory compliance for businesses.