Saturday, August 26, 2023

Launching Your First Cyber Risk Assessment? 4 Golden Tips To Make It Effective

 


I mentioned in yesterday’s blog how AI is one the biggest buzzwords in the Cyber world today.  But there are many others, and one of them, which quite honestly, I get tired of hearing about all the time is that of risk. 

You hear it all the time, and I have even been asked what is risk?  Well, it can have different meanings for different people.  A lot of the definition really depends upon on how much of a gamble you are willing to take if you are hit by a security breach.

You can Google this term, but in my books, I define risk as how much of a financial loss you can tolerate before the real pain hits the bottom line.  Of course, no business wants to lose money on anything, but it is a part of what capitalism is all about.  You won’t gain anything until you risk.  But in Cybersecurity, we are all prone to becoming victims of an attack.

This is where the monetary part plays a key role.  For example, are your bank coffers large enough that you can sustain some downtime for a little while?  Or are you an SMB that after one day, you could go out of business. 

That is what you need to figure out.  Obviously, common thinking dictates that a business would want to mitigate that risk as much as possible.  But believe it or not, there are plenty of them out there who feel that they have a much bigger appetite for this.

Before you get into any component of Cybersecurity, it if first very important to conduct what is known as a “Risk Assessment Study”.  Essentially, this is where you are grouping all of your assets, both digital and physical, and examining just how prone they are to a security breach. 

Very commonly,  an IT  Security team would make use of a categorization scale, such as 1 – 10, where “1” would have the least amount of vulnerability, and “10” would have the most.

But depending on the size of your business, and what industry you are in, conducting a Risk Assessment Study can actually be quite a complex undertaking.  In order to make sure that you are doing right from the get go, it is wise you a Cyber vendor who has extensive experience in doing this to help you out.

But if you want to strike it out on your own, there are plenty of templates that you can use for free on the Internet. Some of the most reliable ones to are those from NIST and CISA.  In this regard, the following are some tips that you use to conduct your study:

1)     Use a hybrid approach:

I have been asked in the past, what approach is better to use?  A quantitative or a qualitative one?  Once again, a lot depends upon what assets you have.  Although I would err more towards the quantitative approach at first because numerical values are easier to understand, you really need to take into account both.  This is the only way to get a true sense as to what you risk posture is, and how much of it you can actually tolerate.  That is what I mean by this “hybrid approach.”

2)     Need to get all members on board:

Conducting a Risk Assessment is not all about the IT Department.  You probably have others as well, and the input that they provide to you is extremely important in order to calculate your overall risk score.  But, getting other departments involved is by no means an easy task to do, because they probably don’t understand what the real meaning behind risk is, and how it can also affect their jobs.  Rather than spending hours teaching the importance of it, perhaps you can use the concepts of gamification and even use a rewards system to get them involved to provide their needed input.  In other words, it should not all be up to the IT Security team to do this.  Each and every employee in your business has a stake in this.

3)     Look at impact also:

As I mentioned previously, one of the primary goals of a Risk Assessment Study is to see how vulnerable your assets are.  But there is also another key area that you need to factor in as well.  And that is “Impact”.  For example, if your database server is ranked as being vulnerable, you also need to assess as to what the impact will be if it is indeed targeted and breached.  What are the far-reaching implications of this?  Who will be affected? Customers? Employees? Key Stakeholders? So the equation here is that your overall risk posture will be a culmination of Vulnerability + Risk Impact.

4)     Keep your Study updated:

Your will probably want to run your first Risk Assessment manually.  Although it will be a pain to do, at least you will have a firm understanding of what is happening.  But doing this is not a one-time deal.  Your Risk Assessment Study needs to be updated as much as possible, preferably on a real-time basis.  But this does not mean you and your team have to do it manually all the time.  Given the advances in AI and ML, you can these updates done on an automated basis, and you can even see everything in one central location.

My Thoughts On This:

If your company is new to Cybersecurity, and you want to get started with conducting your first Risk Assessment Study, the following, recommended frameworks you can use (and for free) can be seen at the links below:

https://www.darkreading.com/risk/how-to-choose-the-right-cybersecurity-framework

https://www.darkreading.com/risk/nist-risk-management-framework-aims-to-improve-trustworthiness-of-artificial-intelligence

But before you embark on all of this, you must first have an understanding of what risk is all about.  I have actually written and published a book on this some time ago, and you can see it here at this link:

https://www.routledge.com/Assessing-and-Insuring-Cybersecurity-Risk/Das/p/book/9780367903077

 

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...