Why perform risk management?
You have heard the news on “yet another” cybersecurity breach, you have read the statistics, or you may have suffered a severe breach already (this is likely even if you don’t know you have). You have decided you need to do something to reduce the chances of critical cybersecurity incidents occurring. However, what should you do? What is the biggest threat? Is it GDPR fines from the ICO, Ransomware rendering your data and systems unusable, personal data leaked to the public, network or web applications hacked, Intellectual property stolen, competitors taking your CRM data or maybe a rogue employee selling data or corrupting systems? The list goes on. The facts are, knowing where to prioritise is essential, and every companies’ priorities are different. The only way to get visibility of how many resources to invest and where to spend it is to apply appropriate risk management strategies. Risk management will allow you to identify, assess and mitigate risks. Without knowing what your most valued assets are and what the threats are to them, you will be blindly spending money, hoping it will solve your cybersecurity problems.
What is risk management?
Risk management consists of 2 activities, risk assessment and risk control. The former is concerned with identifying and assessing risks, and the latter then mitigating these identified risks. The risks could be from several different business-related activities, systems or processes, e.g. legal, human error, regulatory, accidental, or natural disasters. The risks will apply to the companies’ assets, where assets are any item of value owned by the company e.g., physical objects such as computers or real estate, and intangible items such as intellectual property or expertise. Risk assessment allows companies to identify the likelihood of the threat happening, and what level of impact it would have on the organisation if it happened. Those with the highest incidence (most devastating to the company’s operation) and the highest likelihood of occurring, should be addressed first, with the most significant amount of resource spent on controls to alleviate, eliminate or transfer that risk.
What is asset management?
An asset register is created prior to threat identification. Recorded asset information would include a description, it’s estimated value to the business, it’s location, and the person responsible for it. The importance to the business of each asset is crucial for use in the risk assessment process, a discussion of which follows.
What is a risk assessment?
Risk assessment is the process of identifying the threats to assets; measured as the likelihood of a threat incident occurring and its impact. Assessment is via quantitative or qualitative methods. The former uses known statistical data to identify the probability of an event happening, for example, if you know 1 in every 100 hard drives fail within the first year, you can use this to predict the likelihood of that event occurring within your organisation. Impact on the organisation i.e., a metric for the level of loss the incident would inflict upon the company if realised, is measured using company data and statistics to give a monetary value on the damage. Conversely, qualitative risk assessment uses a subjective evaluation of risk occurrence and the impact of an event occurring e.g., low, medium or high. Qualitative risk assessments can form a risk matrix; see below: –
How do I manage the risk?
Risks need managing after identification. There may be many different controls for reducing the same risk and the corresponding control might help alleviate multiple risks. For example, a backup solution can reduce the risk of ransomware as well as that of a disk failure, and the threat of ransomware can also be alleviated using antimalware software. Controls can be via technology for example, data recovery software, or maybe the adoption of policies, processes or procedures. The selection of countermeasures needs to be a well-considered process, balancing the control’s efficacy with the company’s budget.