How to Mitigate IT Security Risks: Best Practices for Effective Risk Management
Do you work in Cybersecurity? Guess what – your job is actually risk management. Is your role in general IT, or in sales, marketing, HR or management? Guess what – your job isn’t risk management, but a part of your role should be dedicated to risk management.
Why, you ask? The answer is that all cyber security work is about risk management and risk mitigation, and this is everyone’s responsibility – not just the security team.
In this article we’ll look at how you can manage IT security risks in your organization, how to develop a risk management plan to strategically prepare for and think about cyber risks and why this is a better approach than throwing money and new software solutions at the problem.
Flavors of Risks
In some ways cyber security risk is just like any other risk that businesses must factor in – geopolitical risks, natural disasters, supply chain challenges, regulation, and compliance risks and so forth.
This is important, because when you communicate with leadership in your organization, framing it in risk terms will yield much better results than using geek speak. On the other hand, cyber security risks can be very different to other risks as they’re often harder to quantify.
One way this can be seen is in cyber security insurance. Only a few years ago, this was a simple exercise (at least in smaller businesses) where you answered a limited number of questions around your security posture and were given insurance at a relatively low premium.
However, half a decade of “big game hunting” ransomware attacks with payouts in the millions have changed the insurance game considerably. Now, the questionnaire is much more comprehensive, and the premiums are much larger, with more exclusions and limitations– with some insurers even exiting the market.
The reason is that there’s not enough stable statistics for insurers to really work out the actual risk – compared to say the risk of a fire in an office building, or an earthquake in a particular area.
They have many decades of statistics in those areas to base their modelling on – whereas cyber security is such a rapidly changing landscape, where even organization with mature security practises and strong cyber hygiene still become victims of the criminals.
The best way for a business to tackle this problem is to develop a risk management plan and keep it alive with regular updates.
Four Steps to a Plan
There are various frameworks you can base your plan on – and depending on which country or countries your business operates in, as well as the demands in regulatory frameworks that you must comply with, you might be locked into a particular one. Here we’re going to use NIST 800-30 to base the discussion on.
It’s got four steps:
- Prepare for Assessment
- Conduct Assessment
- Communicate Results
- Maintain Assessment
We’re going to focus on step 2 which has five tasks:
- Identify Threat Sources and Events
- Identify Vulnerabilities and Predisposing Conditions
- Determine Likelihood of Occurrence
- Determine Magnitude of Impact
- Determine Risk
In other words, start by identifying threats which are circumstances or event that could potentially impact an organization’s operations.
Then you look at vulnerabilities which are weaknesses in a system, security procedure or implementation that a threat can exploit (think broader than just software bug vulnerabilities). And, since no organization is an island as we’ve learnt over the last few years of supply chain attacks, a vulnerability in a supplier or vendors system can impact your business.
When you combine the threats with the vulnerability you can then assess the consequences, if this threat takes advantage of this vulnerability, what will the consequence be?
In concrete terms, identify all your assets and prioritize them based on importance to the business. Then find all (known) vulnerabilities and threats in your environment. Apply security controls to mitigate vulnerabilities, based on the priority of the affected assets.
Then determine the likelihood of a threat event occurring and estimate the potential consequences. This is then a matrix of all the risks that you can use to prioritize and manage risk decisions and responses.
Three things to note here – first it’s really easy to write a paragraph like this, it’s a whole different ballgame to actually do it – particularly in a large business.
Secondly – identifying all vulnerabilities is impossible because there are so many that you don’t know about.
But the point is that you have to start somewhere, if you don’t bother to identify the known vulnerabilities, just because there are ones you don’t know about yet, you won’t get a version 1 of the plan, that you can then iterate on as more information comes to light.
And thirdly, this whole exercise isn’t something the IT department, or the security team can do on their own – this takes involvement by representatives from the whole organization, who’ll each have a view of the risks, vulnerabilities, and threats to their part of the business process.
Risk Mitigation
Now that you have identified, prioritized, and assessed the risks, it’s time to start looking at the appropriate controls to mitigate these risks.
These range from low-tech approaches such as if the accounting department receives an email notification about a change of bank account details from a supplier, they follow up with a phone call to verify this (to a known phone number, not the one supplied in the potentially fraudulent email).
To address security flaws in systems and applications, apply patches as soon as possible, based on the business priority of the asset.
And to mitigate identity-based attacks, ensure that users are logging in using strong authentication such as MFA, and move towards phishing resistant systems such as Windows Hello for Business, Passkeys and FIDO 2 hardware keys.
There are many other risk mitigation approaches: to stop inadvertent data sharing, use a Data Loss Prevention tool, to maintain data governance use an Information Protection tool, to manage the risks from staff (either inadvertent or intentional) apply an Insider Risk process and tool, to minimize the risks from malicious emails use a strong email hygiene solution, and for times when these controls fail, ensure continuous Security Awareness training.
If you need to reign in data sharing, in general or if you’re preparing to roll out Copilot for Microsoft 365, use a good data governance tool.
Remember, this isn’t about new shiny tools that’ll solve all your security problems, it’s about having a plan, with both identified and prioritized risks and building mitigations to the risks just like you do in any other area of your business.
Fire is a risk in an office building, so you mitigate the risk by installing smoke detectors, fire extinguishers, and train your users with evacuation drills.
However, if you have a plant with flammable chemicals, the risk mitigation will include additional systems to minimize the risk. In the same way you must have baseline security controls to mitigate “normal” cyber risks, but more stringent controls for administrative accounts or Domain Controllers.
When calculating the potential monetary damage to your business don’t forget to include operational costs (time and effort to restore systems), perhaps the cost of the ransom itself if that’s the attacks and you do decide to pay, but also fines for non-compliance with regulations.
There’s the cost of loss of clients or potential new sales that won’t be realised, and the overall loss of trust which can be hard to quantify.
The plan is only version 1.0 once you have it in place – it’ll require continuous maintenance (quarterly reviews?) as vendors and suppliers change, IT systems are updated and changed, regulations are altered and the security landscape itself changes (daily).
Remember that there will be some risks that you can’t fully mitigate, at least not without investments far beyond the actual business value of the vulnerable assets, and these risks must be documented and accepted.
Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.
To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.
Conclusion
The relentless attacks of cyber criminals, increasing every year is a reality that every business must face. Otherwise, you’re likely to get an “unscheduled, post-paid penetration test” by an attacker who’ll bring it to yours (and the entire C-suite’s) attention.
Businesses, small and large, must build their cyber security risk management on a plan, which considers the risk landscape, as well as your infrastructure, applications, users and other assets and their business priority.
With that plan, regularly updated, you have a much better chance to identify the biggest risks, mitigate them as best you can, and keep iterating to improve your cyber security posture.
FAQ
The steps are identify threats, combine these with vulnerabilities in systems and processes and then calculate the consequences if a threat is attacking a vulnerability. Combine this with an inventory of all assets, to form a list of all the cyber risks to the business, which then is prioritized based on the business impact of each risk. This forms the basis of your cyber risk management.
If you don’t know what you have, and what the risks are to those assets, you won’t know which risks have the highest priority and your cyber defences will be haphazard at best. With a solid plan, you can implement risk mitigations in a calculated manner to achieve the best protection with the available resources.
Cyber risks come in many forms, most of them focus on your data as the goal. Ransomware encrypts your data to get you to pay to get access to it back, industrial espionage steals your Intellectual Property to achieve an unfair advantage, and Business Email Compromise attacks seeks to subvert your processes to steal your money.
l
o
g