Cybersecurity Risk Management
Cyber threats are no longer a concern exclusive to enterprise businesses. In fact, a study made by Cisco proved that 53% of SMBs experienced some sort of cyber-attack in 2018, causing financial damages and data loss. If cyber-attacks are no longer exclusive to enterprise businesses but affecting every day more and more SMBs, cyber risk management needs to be addressed by these organizations. But with a lack of internal resources and knowledge is difficult to build a comprehensive cybersecurity approach that considers risk management a central part of a cohesive security plan. So where to start?
According to a paper published by Carnegie Mellon University, "Risk management is the ongoing process of identifying, assessing, and responding to risk." To manage risk, organizations should assess the likelihood and potential impact of an event and then determine the best approach to deal with the associated risks.
A Four-Step Process
Identify Threats: The first step is to identify information security-related threats. The implementation of newer technologies in your environment can leave your infrastructure open to new and evolved threats. Determining vulnerabilities, risk levels, safeguards, and controls are the first step into building a risk management strategy.
Prioritize risk and impact: By analyzing your core business processes, you can then align those to the specific enabling technologies and prioritize areas that have a high impact. For instance, if your core business processes demand a high availability of cloud-based services, then all the hardware that's enabling users to access the cloud needs to be prioritized to make sure you have cybersecurity tactics protecting the performance of those services.
Mitigate Risks: The first step in mitigating risks is to determine what types of security controls to apply. From prevention, detection, monitoring, or controlling, every risk identified will need to have an actionable plan with a specific control to reduce uncertainty when an issue or threat is presented. However, is important to understand that not all risks can be eliminated, the role of cybersecurity risk management is to address potential threats in a way that's effective and efficient, and that's aligned with business objectives.
Here are some examples in which SMBs are mitigating cybersecurity risks:
- Installing Network Access Controls with two-factor authentication
- Having an Automated Patch Management Plan
- Endpoint Security with Advanced Malware Protection (AMP)
- Limiting administrative rights
- Limits for older operating systems that aren't covered by the patch management plan
- Limiting devices with Internet access
Evaluate your readiness: What policies and procedures you have in place to communicate risk management expectations, risk definitions, and guidance throughout the enterprise. The goal is to provide an action plan that's easy to execute and communicate to key players, so everyone understands the implications of cyber-threats and their own role in guarantying the execution of a cybersecurity risk management plan.
Additional Considerations for Cybersecurity Risk Management
- Understand the human element: Regardless of the technologies you have in place to prevent a cyberattack, there's always a human element that can't be easily controlled. The evolution of cyber threats are trusting in human interaction as the first point of entry to a larger-scale attack. An email with a malicious file, a website with a malicious link, they all rely on an end-user carelessly actioning it. Here is where company policies play a huge role in creating a framework for acceptable use of the technology environment.
- IT Business Continuity Plan: As I mentioned before you can't eliminate all risks, so cybersecurity risk management must also be contemplated as part of the IT business continuity plan, to support critical missions during or after a disruptive cyber event. The key term here is resilience. According to Carnegie Mellon University, "Resilience is an emergent property of an entity to be able to continue to operate and perform its mission under operational stress and disruption. Many organizations use the CERT Resilience Management Model (CERT-RMM) to manage and improve their operational resilience. The model includes Risk Management as one of its 26 process areas."
- Cybersecurity Consulting: Many SMBs struggle to recruit or allocate resources towards a cybersecurity practice, and often times their security plan will include a few firewalls, access controls and some sort of endpoint security. However, this doesn't begin to cover the myriad of vulnerabilities an organization might be facing in today's threat landscape. This is why, finding a key cybersecurity consultant that has the knowledge and skills to plan a comprehensive cybersecurity strategy that includes not only technologies but also policies and procedures becomes of a great importance.
As an IT managed service provider with more than 11 years of experience in the industry, Tekscape understands the role of cybersecurity and the key elements that need to be set in place to protect your business including developing a cybersecurity risk management plan. Our approach to managed services has also extended to our cybersecurity practice allowing us to tailor a cybersecurity strategy that works for your business needs. Let us show you how!