According to the World Economic Forum’s Global Risks Report (2018), over 21,000 surveyed business leaders from 140 countries now rank cyber-crime at the top of their list of risks. The key to managing this threat, we are told, is thorough cyber-security risk assessment. If you’d like to learn how to rank your cyber-security risks accurately and efficiently, read on.
But First, The Sources
Before we start looking at ranking strategies, let’s review the suggestions laid out by the UK government.
The National Cyber Security Centre (NCSC) has a range of guidelines to help companies improve their security. There are seven different assessment frameworks that help organisations identify and rank risks.
- ISO/IEC 27005:2011
- Information Security Forum (ISF) IRAM 2
- CESG Information Assurance Standard 1 & 2
- US National Institute of Standards and Technology (NIST) SP 800-30
- OCTAVE Allegro
- ISACA COBIT 5 for Risk
Some of these are specifically tailored to particular types of organisations, such as government agencies. Others, such as ISO/IEC are designed to be more generic. There are multiple overlaps between all of the risk-assessment methods, and the main information is drawn from the same theories.
Many UK cyber-security insurance agencies recommend the National Institute of Standards and Technology (NIST) framework due to its accessibility and clarity. The NCSC describes the NIST approach as:
“comprehensive and clear […] usable by organisations of all sizes in both the private and public sectors. It is designed to be consistent with the ISO standards, and flexible enough to be used with other risk management frameworks”.
What Is A Cyber Risk Assessment?
The National Institute of Standards and Technology (NIST) explains that the purpose of a cyber-risk assessment is to identify:
“the cyber security risk to organisational operations (including mission, functions, image, or reputation), organisational assets, and individuals”.
This is an extremely broad agenda that demands a top-down examination of the entire organisation. Therefore, NIST recommends that cyber-security risks are explored in key steps:
1. Identify and Document Asset Vulnerabilities
2. Identify and Document Internal and External Threats
3. Acquire Threat and Vulnerability Information from External Sources
4. Identify Potential Business Impacts and Likelihoods
5. Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods, and Impacts
6. Identify and Prioritise Risk Responses
These stages show a clear progression that untangles some of the murky unknowns to arrive at a clear, understandable end point.
1. Identify & Document Asset Vulnerabilities
This stage is about identifying which assets might be a target. To identify vulnerabilities, consider:
- Previous incidents. If you’ve been targeted before, that’s a weakness.
- The nature of your data. If you hold sensitive personal or financial information, you are an attractive target.
- Industry trends. If your competitors have had problems, you might be next.
2. Identify & Document Internal & External Threats
Once you know which data is likely to be targeted, the next stage is to consider who might want it.
Don’t be afraid to think outside the box on this one. It is not only hackers trying to steal and sell data that pose a risk. In 2018, environmental activists forced four major gas pipeline operators to shut down following a targeted cyber-attack, and this type of politically-motivated incident is becoming more common.
3. Acquire Threat & Vulnerability Information From External Sources
The first two stages lay the groundwork for this third, broader examination of the situation. Step 3 involves gaining knowledge and information that enable you to establish the tactics, techniques, and procedures (TTPs) that cyber-criminals are using. This can be done by:
- Keeping up to date with industry news and forums
- Employing a security firm to offer insight
The aim is to ensure that you are fully informed.
4. Identify Potential Business Impacts & Likelihoods
The risk is out there, but what will happen if your business is targeted? Step 4 means asking this question and developing potential scenarios for each of the risks that you have established in the previous steps.
For each scenario, ask as many questions as possible:
- What will the immediate business impact be?
- Who will be affected?
- What is your immediate response?
- What will the effect of your response be on short-term and long-term business activities?
- What will the overall cost be?
- How will customers, reputation, and long-term performance be affected?
Once you have asked these questions for each potential scenario, you can combine them with the information from Stages 1, 2, and 3 in order to rank them into a matrix determined by:
With this matrix, the level of risk should be immediately visible. High-impact/high-likelihood events have the most chance of occurring and will result in the greatest cost. These should be addressed first.
5. Determine Enterprise Risk By Reviewing Threats, Vulnerabilities, Likelihoods, & Impacts
The risks should now be clear, ranked, and the impact established. Step 5 involves determining whether internal organisational vulnerabilities mean that your business has an enhanced risk. This means considering your own organisation, systems, and procedures.
Software security is important. However, also consider factors such as communication, emergency chain of command, and awareness of protocols.
6. Identify & Prioritise Risk Responses
This final stage involves bringing together all of the information and using it to move forwards. Take what you have learned in Step 5 and use this as your starting point for developing a strong defence. Look for ways to reduce the risk by targeting organisational vulnerabilities that might increase the impact of an attack.
Once these risks have been ranked, and plans have been made accordingly, treat it like any other emergency scenario. Just as your staff know what to do in the event of a fire, plan and prepare for a cyber-attack.
Using the NIST steps, carry out regular risk assessments. This will enable you to identify whether the ranking of your cyber-security risks changes.
Start By Protecting Against The Obvious
When organisations dispose of old IT equipment, data breaches can introduce vulnerabilities that increase both the likelihood and the impact of a cyber attack. Safeguard against this with 100% assurance by engaging a professional IT asset disposal company.