Cybersecurity Risk Management

The No. 1 risk to markets in 2019? It will surprise you. It's cybersecurity!

Cybersecurity should be a concern for organizations of all sizes, with fresh threats and data breaches making the news every few days. But as cybersecurity solution vendors and risk management consulting firms can attest, far too many companies still lag behind on implementing safeguards. In part, this is due to the fragmented nature of products and services available in the market. However, even with options available to solve cybersecurity challenges, businesses may not know where to start.

Large data breaches have become fairly common, and cybersecurity is at or near the top of most companies’ risk registers. New ransomware and malware variations continue to emerge, and phishing schemes are becoming infinitely more sophisticated. Regulators both domestically and internationally have responded with cybersecurity and data privacy regulations to prescribe “good behavior.”

While complying with regulators is a minimum standard and seen as a cost of doing business, the question companies are asking is “How do I know if we’re doing enough?” The truth is that regardless of how robust a cybersecurity program is, the risk remains, as the bad actor only has to be right once. While you can’t do anything to stifle the pipeline of bad actors, there are many steps a company can take to limit its exposure.

The two prime tenets of effective cybersecurity are risk assessment and governance. Risk assessment enables an organization to define its environment, evaluate the risks specific to its business and deploy limited resources efficiently. Governance speaks to the ability to establish a framework for effectively addressing these risks in a systemic way and meet the fiduciary obligations inherent with being entrusted with sensitive data, such as consumer nonpublic information.

Most enterprises have come to understand the importance of addressing internet security. The risks of a lack of cybersecurity are becoming more widely talked about. These risks include:

• Compromising of private data. Companies today rely heavily on the data they collect, whether it’s market information, various account details or the personal information of customers. If a cyber hack occurs, not only is there a chance for this information to be stolen by another entity, but data could also be altered in a way that drastically damages the company’s operational reliability.
• Costly recovery expenses. Not only does a breach in security put information at risk, but there are also potentially devastating financial repercussions. Most of these are in the form of “hidden” costs that can continue to impact your business for up to two years after the incident. Whether it’s in the form of new IT training, acquiring new software or the lengthy process of restoring lost data, the loss of both time and money can be devastating.
• Weakened client trust. Naturally, customers don’t like hearing that their personal information has been compromised. After a cyber attack occurs to a company they originally trusted to keep their data safe, consumers may decide to discontinue their business and seek services elsewhere, tarnishing not only the reputation of the attacked company but also reducing its bottom line.

To prevent these losses, businesses need to pay special attention to what leads to online security incidents. Nearly 90% of all breaches are caused by a human-made mistake or behavior, and employee ignorance is one of the leading contributors, manifesting itself in a few different forms:

• Widespread lack of understanding and training. It’s not only the IT department who can accidentally expose the company to online intruders. While many tech support employees are not necessarily cybersecurity experts, which should be addressed more extensively, other non-technical employees also carry the responsibility to behave wisely online. If the workforce has a generally limited knowledge of what threats look like, leading employees to find themselves opening emails tagged with malware or accessing unsecured networks, even prepared IT departments can’t defend the company properly.
• Lack of groundwork for new IT initiatives. New IT policies contribute to the lack of preparation for security incidents. For example, an organization implements new cloud computing initiatives or adopts new user controls without adequately building foundations and training employees effectively. This can lead to an absence of awareness, user errors and even the initial installation of software without ensuring the right security settings are in place, opening the company up to impending threats from the start.
• Overwhelmed technical departments. Another critical factor in addressing cybersecurity is acknowledging that overworked IT departments will be less adequately prepared to tackle cyber attacks head-on.

The Types of Cybersecurity Threats That Businesses Face

• Phishing. Cybercriminals will try to gain access to your secured network through different means, the most common of which is through phishing. By using social sites or email, these scammers will convince users to click on misleading links, provide sensitive information or company data, or even download content to their computer or server.
• Malware. If a victim of phishing does end up initiating a download, there’s a good chance that the program received is harmful or malicious. A Trojan virus, for example, is a form of malware brought onto the network disguised as legitimate software, often carrying out its true purpose without the user knowing. Malware comes in various forms, tasked with anything from spying on the system to manipulating its code.
• Distributed Denial of Service (DDoS). This is a type of attack that floods the server with requests from multiple sources, leading it to become overwhelmed to the point of slowing down substantially or even crashing. Once this occurs, the system becomes impossible to use effectively until theses numerous interactions are canceled and blocked.
• Brute Force or Password Attacks. These threats involve an attacker attempting to gain access to a network by using a program to ascertain a working password. They’re the primary reason it’s important not to use the same password across the board and why these login details need to be changed regularly.
• Internet of Things (IoT) or Algorithm Manipulation. As organizations grow to rely more and more on their wearable tech, cloud-computing industrial devices and other IoT applications, the more vulnerable their data becomes. Similarly, as automation has led companies to trust their algorithms to interpret and apply their data, they may be susceptible to threats in the form of these systems and codes being compromised without frequent monitoring and occasional human interaction.
• Ransomware. This is a type of malware that, when opened, locks the system down and encrypts the device so that no one can use it anymore. Ransomware is one of the most sophisticated and damaging threats out there. The computer or server affected will remain locked until a hefty ransom is paid on its behalf, although some hackers are prone to not following through on the unlocking that they promise, causing the business to suffer even further.

Risk Assessment

The foundational component of an effective cybersecurity program is an entity’s risk assessment. This is the company’s opportunity to develop a program that is scalable, sustainable and customized to its specific circumstances. 

Now let’s look at the basic steps of a risk assessment.

#1. Characterize the System (Process, Function, or Application)

Characterizing the system will help determine the viable threats. This should include (among other factors):

1. What is it?
2. What kind of data does it use?
3. Who is the vendor?
4. What are the internal and external interfaces that may be present?
5. Who uses the system?
6. What is the data flow?
7. Where does the information go?

2. Identify Threats

There are some basic threats that are going to be in every risk assessment, however depending on the system, additional threats could be included. Common threat types include:

1. Unauthorized access (malicious or accidental). This could be from a direct hacking attack / compromise, malware infection, or internal threat.
2. Misuse of information (or privilege) by an authorized user. This could be the result of an unapproved use of data or changes made without approval.
3. Data leakage or unintentional exposure of information. This includes permitting the use of unencrypted USB and / or CD-ROM without restriction; deficient paper retention and destruction practices; transmitting Non-Public Personal Information (NPPI) over unsecured channels; or accidentally sending sensitive information to the wrong recipient.
4. Loss of data. This can be the result of poor replication and back-up processes.
5. Disruption of service or productivity.

3. Determine Inherent Risk & Impact

This step is done without considering your control environment. Factoring in how you characterized the system, you determine the impact to your organization if the threat was exercised. Examples of impact ratings are:

• High – Impact could be substantial.
• Medium – Impact would be damaging, but recoverable, and / or is inconvenient.
• Low – Impact would be minimal or non-existent.

4. Analyze the Control Environment

You typically need to look at several categories of information to adequately assess your control environment. Ultimately, you want to identify threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats. A few examples include:

• Organizational Risk Management Controls
• User Provisioning Controls
• Administration Controls
• User Authentication Controls
• Infrastructure Data Protection Controls
• Data Center Physical & Environmental Security Controls
• Continuity of Operations Controls

Control assessment categories may be defined as:

• Satisfactory – Meets control objective criteria, policy, or regulatory requirement.
• Satisfactory with Recommendations – Meets control objective criteria, policy, or regulatory requirement with observations for additional enhancements to existing policies, procedures, or documentation.
• Needs Improvement – Partially meets control objective criteria, policy, or regulatory requirement.
• Inadequate – Does not meet control objective criteria, policy, or regulatory requirement.

5. Determine a Likelihood Rating

Now, you need to determine the likelihood of the given exploit taking into account the control environment that your organization has in place. Examples of likelihood ratings are:

• High – The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
• Medium – The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
• Low – The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

6. Calculate your Risk Rating

Even though there is a ton of information and work that goes into determining your risk rating, it all comes down to a simple equation:

Impact (if exploited) * Likelihood (of exploit in the assessed control environment) = Residual Risk Rating

Some examples of risk ratings are:

• Severe – A significant and urgent threat to the organization exists and risk reduction remediation should be immediate.
• Elevated – A viable threat to the organization exists, and risk reduction remediation should be completed in a reasonable period of time.
• Low – Threats are normal and generally acceptable, but may still have some impact to the organization. Implementing additional security enhancements may provide further defense against potential or currently unforeseen threats.

Action steps to improve

Once the residual risk rating has been derived for each risk scenario, the company must analyze and interpret the results of the risk assessment. Specific questions to be asked are:

• Did we overvalue the impact of internal controls (i.e., Are we taking too much credit for controls)?
• Are the results skewed, meaning:
• Are there too many high-risk scenarios? This indicates that there are many significant risks remaining. This may result in material risks not getting adequate attention, as resources must be allocated across a larger population of significant risks.
• Are there too many low-risk scenarios? This indicates that all significant risks are covered and the residual risk is nominal. This may result in material risks not getting adequate attention or resources, as perceived low risks may not receive budget priority or management sponsorship.

Once the analysis is complete and any adjustments made, action plans must be drafted to address each critical and significant risk.

• These action plans should include specific actions to be completed; action owner, anticipated completion date and required resources (direct cost and employee effort in hours).
• The action plans should be aligned with the broader IT strategic plan to ensure alignment of resources and effort to maximize efficiency.

Additional concepts to consider

• Risk is subjective, this exacerbates the need for input of multiple stakeholders and equally as important as the diversity of thought different stakeholders bring to the process. Stakeholder involvement is crucial in all phases of the risk assessment, the selection of risk factors to be used, the metrics by which the risk factors will be evaluated, the inherent/residual risk ratings, and the action plan stemming from the assessment.
• Developing metrics for risk analysis is difficult, risks may or may not distribute normally across a bell curve; however, they may skew in distribution either to the left or right and may, indicate that on the whole, risks are either overstated or understated. While risk analysis can be supported with metrics and graphs, there is still a component of risk assessment that is based on “feel,” meaning a certain risk feels like it should be high or critical, regardless of controls. This is where experience in conducting information-security risk assessment and knowledge of the current events and trends are crucial.
• Due to the level of subjectivity in risk, there is value in conducting an independent quality review of the risk assessment. An objective reviewer can challenge the risk ratings and impact of internal controls, and can help identify potential blind spots, missing risks, unsupported risk ratings and internal controls for which the impact is either overvalued or undervalued.

Concluding Remarks

Effective cybersecurity is an organizational effort. Done well, cybersecurity involves the:

• Information technology group that builds, deploys and manages the enterprise systems
• Information security team that protects the systems and monitors activity
• Business units that own the customer relationships, the underlying systems and data
• Executive management and the board that have the fiduciary duty to protect sensitive information
• Legal and compliance group that is responsible with ensuring compliance with all applicable laws and regulations
• Risk-management team that understands the risk assessment process and has access to the tools and templates to be deployed