Cyber Risk Management, Simplified!
publicly available internet image

Cyber Risk Management, Simplified!

Cyber risk management is the?process of identifying, analysing, evaluating and addressing?cyber security threats or cyber-attack via disciplinary hygiene, resilience and response. Cyber-attack can occur due to incidents arising out of any threats and vulnerabilities on digital assets of an unprepared entity ( Read, individuals, private or govt enterprises) that consequently could cause damage in terms of loss, theft or unavailability of data, financial impact, loss of reputation and morale among the stakeholders.

World Economic Forum's 'Global Cybersecurity Outlook 2022' , mentions that each cyber security breach costed the organization $3.6 million in 2021. On an average organizations need 280 days to identify and respond to cyberattack. Building cyber resilience is a core focus of the World Economic Forum Centre for Cybersecurity bridging the gap between stakeholders ( Read, cybersecurity experts and policy-makers) to reinforce the vital importance of cybersecurity as a key strategic priority.

Steve Morgan , Editor-in-Chief of Cybercrime magazine says “ Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from?$3 trillion USD in 2015” This represents the?greatest transfer of economic wealth in histor y, risks the incentives for innovation and investment, is exponentially larger than the?damage inflicted from natural disasters ?in a year, and will be?more profitable than the global trade of all major illegal drugs ?combined. A cyberattack could thus potentially disable an enterprise, economy of a city, state or even entire country and can be used to fight along the modern warfare as we have witnessed recently.

The cyber risks arise due to threats or vulnerabilities, wherein threats are the circumstances or events of unauthorized access to critical information technology systems, assets and environments that can cause damage or adversely affect the operations or digital assets due to natural disasters, human error, hostile attacks or failed or bad configurations or code. Impacts?of which are the adverse effects or consequences of incidents and calamities affecting information assets and availability or integrity thereof. One the other hand, Vulnerabilities?are the weaknesses or loopholes in an information systems?infrastructure, software code or configuration, lapse in security procedure, failed internal control, or an unvalidated software application that may be exploited by any internal or external threat actor/s.

Types of Cyber Security Threats and associated Risks

A cyber security incident or threat is a?malicious?and?deliberate attack to damage, disrupt, or steal digital assets, infrastructure ( Read, processing, storage or networking systems), classified information, ?intellectual property, or any other form of data that if publicly expose could result in loss or damage to persons, organization or a nation.?An awareness and basic understanding of the threats posed in a cyber-world could help protect digital assets, intellectual property and the business interests. While today there are many types of cyber threats and new ones continue to grow, few of these are most common and prevalent cyberthreats?as we know today..

  • Malware / Ransomware attacks?are the most common type of cyberattacks, the malicious software, including spyware, ransomware, viruses, and worms, which are installed into the target system and once inside the network or the user systems can block access to critical components of the operating system access privileges, networks, damage or alter the system configuration, and steals or encrypts the victim’s data and threatens to publish or blocks access to data unless a ransom is paid.
  • Malicious emails sent by attackers that seem to come from legitimate resources trick the users into clicking the malicious links or execute embedded code attached in the email, leading to malware installation or hacking of sensitive information like credit card details and login credentials etc causing information loss or illegal financial transactions, theft or even stealing of identity or contacts etc.
  • Spear phishing is a more sophisticated form of a phishing attack in which hackers target only privileged users such as system administrators and high net worth C-suite executives or individuals, making them targets of exploitation and hacking confidential information.
  • A Structured Query Language (SQL) injection attack opens the access to sensitive information stored on the target database by uploading malicious SQL scripts and thus can remotely view, change, copy or delete data stored in the compromised SQL database.
  • A zero-day attack exploit the newly found vulnerability of software or hardware before a patch or solution is implemented.
  • Unprotected IoT devices, Cloud and Mobile Phones can be breached by attackers to expand the attack vector and exploit the cloud resources, user devices and unprotected IoT devices since it often lack robust security and data protection features, putting them at forefront cyberattacks to gain control of devices for use in botnets and penetrate the network.
  • DNS attack or Denial of service - a cyberattack that exploits vulnerabilities in the Domain Name System (DNS) and divert site visitors to malicious pages (DNS Hijacking) and exfiltrate data from compromised systems (DNS Tunnelling) etc. Denial of Service attacks aims at flooding systems, networks, or servers with massive traffic generated via compromised systems or IoT devices making the target system unable to fulfil legitimate requests and chokes the network bandwidth.

As cybercriminals or hackers continue to adopt new technologies and innovative on their attack strategies, we too must keep our vigil on our response, approach and use appropriate tools and techniques to counter these attacks and enhance robustness of our cybersecurity frameworks, adopt and implement best practices that help us prepare against such cyber threats and ensure business continuity and information security for our stakeholders on priority.

Cyber Risk Analysis – Approach & Strategy

One cannot manage anything that is not monitored, analyzed and tracked, the same principle applies when it comes to Cyber Risk Analysis, there is no silver bullet. The approach and strategy to handle cyber risk management is always aligned to the general risk management frameworks and the cyber risk management process is driven along with the help from cybersecurity risk management experts to figure out the essential risks, design a plan to face these risks in reality and depending on the awareness and assessment of the attack surface, potential impact of technologies, regulations and risk appetite of the organization. There are few key aspects we must understand to define our approach and generic methods towards risk management, such as ..

  • Quantitative or qualitative methods may vary depending on the opinions of stakeholders on the relative risk value arrived via quantitative?versus?qualitative analysis. Depending on the availability of reliable data or historical incidents few information security or risk management professionals might recommend truly quantitative analysis in all possible circumstances potentially useful in some more narrowly-defined situations. Another approach is to look at selected ‘high risk’ areas across the similar industries or domain and perform relative risk analysis.
  • Scope: another critical aspect is to ensure all stakeholders keep the statement of applicability as broad as possible to manage information and business risks in tandem, since in today’s world the information risks can greatly impact the business and?must identify and corelate information assets and business drivers aligned scoped together. The stakeholders should never lose business agility and purpose during entire life cycle of risk management, all changes in the scope must adhere to change management and perform impact assessment of all changes on the KPIs and relevancy thereof.
  • Maintainability and Support: in an ideal world we would aspire for more and more sophisticated tools and techniques for undertaking the risk analysis, whereas few stakeholders may be at ease using procedural home grown or generic tools such as spreadsheets or Kanban charts etc. over the time this mix may introduce complexity or demand much more technical expertise to update, re-configure and even maintain the effectiveness and efficiency of the approach, methods and without losing flexibility or usability as a key design goal of the overall risk analysis strategy.
  • Value: this is the ultimate benefit to your organisation from this initiative, offset by the costs of acquiring, using and maintaining the tools and techniques. Acquisition or up-front cost of tools and techniques is just one factor, the value judgment and final decision will be the end result of the evaluation, upskilling and governance of the process.?In time we might need to revisit our assumptions and objectives, stay aligned with the changing scope of external and internal environments, introduction of new technologies, statutes and may even decide to adopt multiple ways to ensure compliance and constancy of purpose.

Risk Management Frameworks

Handling cyber risk management effectively may be best aligned to a particular security framework that is helping the compliance to system of published and practiced standards (such as NIST , CIS and ISO27k etc) and set of best practices to manage the cyber risks adhering to regulations, applicable statutes and governing laws.

  • The NIST CSF framework provides set of best practices that standardize risk management as a practice and map of activities and outcomes related to the core functions of cybersecurity risk management in specific areas such as protect, detect, identify, respond, and recover.
  • The ISO/IEC 270001 cybersecurity framework offers a certifiable set of standards and evaluation criteria defined to systematically assess the readiness to manage risks posed by information systems
  • The Factor Analysis of Information Risk (FAIR ) framework is defined for the purpose of helping enterprises understand, measure, analyze and report on information risk from the business perspective with help of the standards and best practices to manage the information risks systematically.
  • Center for Internet security ( Read, CIS) is the trusted resource for cyber threat prevention, protection, response, and recovery in the rapidly changing cybersecurity needs as a global entity. CIS RAM (Risk Assessment Method) is an information security risk assessment method that helps organizations implement and assess their security posture against the CIS Critical Security Controls (CIS Controls) cybersecurity best practices.

No alt text provided for this image

Cyber risk management naturally aligns with general risk management strategies and employs further sophisticated techniques in managing the cyber risks. There are key benefits that can easily be inherited via simple adoption to any governing risk management standard rather than reinventing the wheel. The risk management frameworks help us in…

  • Identification - The most important component to identify the risks that a organizations may face and involves creating a list of all potential risks, such as legal, operational and strategic risks, among others and should then be categorized based on importance and level of risk, otherwise known as core or non-core risks. Risks that could affect a organizations ability to operate, perform and achieve long-term growth are referred to as core risks and must be prioritized for resource allocation such as budgets, manpower and timeline.
  • Measurement/Assessment – is the next step in Risk measurement while doing the risk identification, a process of analysing potential threats and vulnerabilities to your information systems to establish what loss you might expect to incur if certain events happen with an objective to help achieve optimal security at a reasonable cost. When you are measuring specific risk exposure, consider the effect of the risk on an organization’s overall risk profile. Know that some risks are easier to measure than others, but taking the time to perfect this component is critical to the success of your risk management framework. The quantitative assessment measures risk using monetary values while qualitative risk assessment is opinion-based. It relies on judgment to categorise risks based on probability and impact and uses a rating scale to describe the risks as low, medium or high.
  • Mitigation – After the risks are properly identified and assessed, it is essential to decide how to best handle or manage them. Ideally, stakeholders will want to find ways to either eliminate these risks or minimize them to the best of their ability. The four types of risk mitigating strategies include risk avoidance, acceptance, transfer and limitation.

  1. Avoid:?In general, all risks should be avoided that involve a high probability impact for both financial loss and several damage to business objectives.
  2. Transfer:?Risks that may have a low probability for taking place but may have a large financial impact must be mitigated by being shared or transferred, e.g. by purchasing insurance, forming a partnership, or outsourcing etc, there are war chests build by organizations to help transfer identified core risks.
  3. Accept:?While some risks or the expenses involved in mitigating those is more than the cost of tolerating the risk. In such situations, the risks should be accepted and carefully monitored to lower the impact.
  4. Limit:?The most common mitigation strategy is risk limitation, i.e. stakeholders take appropriate action to address a perceived risk and control the exposure. Risk limitation usually employs some risk acceptance and some risk avoidance to bring the impact to acceptable levels.

  • Reporting/Monitoring – The monitoring of risks and dealing with them appropriately is the essence of risk management thus It is not enough to simply implement a risk management framework, all risks must be continually monitored and have contingency plans to ensure that the risk if matures is contained. Many stakeholders rely on an regular risk reviews / identifications to continue optimal operations and manage the risks by monitoring and constantly modifying a risk management plan, pinpoint the weaknesses in the tools, procedures and skills etc to make any necessary changes during times of review. It is important to realize that risk management is a continual work in progress that evolves over time and is never considered as finished task.
  • Governance - The final step to consider when completing a risk management framework is risk governance along with continuous monitoring of risk as explained earlier. This process helps ensure that all stakeholders continue to perform their given duties / align to the objectives of risk management framework based on the scope outlined and agreed in the risk management framework. Risk governance provides an outline of what roles each one holds, which participants have the authority, and what boards and committees must be addressed before core risks can be approved and accepted. In case of failure of risk governance or stakeholders fail to perform the functions necessary to eliminate or minimize risks, the organizations may ultimately suffer and cause severe damage or financial exposure.

Prevention is better than cure

A key focus will always be on the core cyber risks and to consider how many of these core risks to retain and retaliate for. The approach on handling risks can alter the risk management procedure in the future and will keep encouraging business stakeholders to re-evaluate and modify their risk management process and posture, as a matter of proactive preventive measures organizations can leverage the best practices such as ..

  • Build an effective Cyber Security Incident Response Plan (CSIRP) enables businesses to prepare for the inevitable, respond to emerging threats, and recover quickly from any attack. A robust and tested business continuity and disaster recovery plan is essential for organizational survival.
  • Backup your data regularly to help reduce the risk of data loss or un availability as an ongoing and consistent activity and regularly update the security posture, harden systems, networks, associated configurations and software patches thereof.
  • Establish proper access management and control to secure the perimeter of your information systems, source code and infrastructure, prevention is better than cure.
  • Employees Training and Awareness – as the first line of defence against cyberthreats, every organization must conduct comprehensive cybersecurity awareness programs to train employees on standard operating procedures to avoid human errors and recognising and responding to cyber threats.
  • Secure Coding Practices – for software engineering and design domains, secure coding practices ensure protection against vulnerabilities and should adopt best practices with close eye on the principles of information security covering few key tenets such as..

  1. Empower developers to secure code as fast as it is written, allow them to develop and/or apply a secure coding standard for your target development language and platform. Default deny principles to base access decisions on permission rather than exclusion, Every process should execute with the least set of privileges necessary to complete. Using threat modelling techniques to anticipate the threats to which the software will be subjected and tested before each release is a proactive measure against any cyber risks or incident.
  2. Running the right test at the right time and to the right depth for code reviews, system hardening, Keep the design as simple and small as possible and align remediation efforts in line with business risks, Validate input from all untrusted data sources. Stringent input validation can help eliminate the vast majority of software?vulnerabilities and associated risks by design. With zero trust on most external data sources, command line arguments , API endpoints and network interfaces, environmental variables, and user controlled files etc one can eliminate the possibilities of unwarranted exposures.
  3. Good quality assurance techniques can be effective in identifying and eliminating vulnerabilities. Fuzz testing, penetration testing, and source code audits should all be incorporated as part of an effective quality assurance program. A quality and secure product that can succeed in these areas will turn software security from a productivity inhibitor into a business enabler and become competitive differentiator.

  • Maintain Compliance with data regulations that apply to their industry and geographical location, ensure to deploy all tools and technologies to strengthen the conformance to statues and regulations. Stakeholders must regularly review the ISMS policies, conformance to data protection laws / regulations and discuss and agree on the risk remediation towards potential threats against security of information, intellectual property / assets and mobilize required resources to effectively managing the risks.

In Summary, Cybersecurity remains the key focus area for any digital business today as reliance on digital technologies continues to increase, cyber-attacks have become too sophisticated. It’s no longer matter of protecting data and information from external threats, but also ensuring that data and infrastructure remains safe and robust minimising the attack surface for exploits. Today information technology can help us perfect our risk mitigation and management strategies by enhancing our ability?to identify, evaluate and monitor risks enriching our ability to forecast events with greater accuracy and react in time. With this flexible, practical, and proactive approach to cyber risk management we can aim to neutralize this constantly evolving threat landscape effectively, isn’t it!


***

Mar 2022. Compilation from various publicly available internet sources, authors views are personal.

#cyberrisk #riskmanagement #malware #hacking #NIST #CIS #FAIR #ISO27K #informationsecurity #cyberattacks #GDPR




要查看或添加评论,请登录

社区洞察

其他会员也浏览了