Cyber Security Risk

What is Cybersecurity Risk?

Protecting the organization against cyber security threats can seem endless, but understanding cyber security risk can help prioritize your efforts. Cyber security risk is more concerned with identifying and managing the possibility that such an attack will occur. Cyber security is the probability that harm or loss will occur as the result of a cyber-attack. Cyber security and risk can be managed together to protect the organization.

Common Cybersecurity Risks

A risk management program will understand and address cyber security risks for businesses, evaluating both the likelihood of an attack along with the level of loss should/when that attack occurs. In this way, cyber security risk components are evaluated and prioritized so that the organization can address them.

Cyber Security Risk

At a high level, there are several cyber security risks businesses should consider:

  • Unfriendly governments can launch external threats or cyber espionage in an attack vector known as cyber-terrorism, and governments will work to protect against this risk. The equivalent would be the theft of intellectual property or personal data stored by the organization at the commercial level.
  • Internal threats are caused by staff not understanding cyber security and downloading software with malicious code or falling prey to phishing attacks. They can also be as simple as leaving back doors in software and databases by not changing out of box default passwords.
  • Developers may often leave unintentional loopholes in software and databases, making it easy to gain access. While some may be internal developers working on custom code, it’s also possible to purchase poorly secured applications.
  • Poor configuration of commercial products and infrastructure is also at fault for many breaches. For example, certain firewall ports are known points of entry if not properly secured and monitored.
  • Vendor or service provider threats can be introduced when purchasing cloud services or SaaS solutions if the vendor doesn’t take proper care to secure their data centre or software.
  • Compliance violations can occur if data isn’t properly protected according to regulations like GDPR and HIPAA. These generally occur because the cyber security team does not take time to educate employees and protect data appropriately.

These sources of risk can open the door, enabling cyber criminals to introduce malicious software, like viruses, trojan horses, ransomware, phishing attempts or denial of service attacks. If these result in data loss that must be disclosed, they can cause loss of reputation and business or, in worst cases, high fines for lack of compliance. Cyber security and risk programs should consider these risks as well as the risk of losing access to critical systems in the event of ransomware attacks, damage, or lost data, as well as critical systems, becoming unstable or failing completely.

In addition to understanding the sources of attack, cyber security and risk management programs should consider the threats themselves and the likelihood of those threats being used in the organization.

Common Cybersecurity Risks

A risk management program will understand and address cyber security risks for businesses, evaluating both the likelihood of an attack along with the level of loss should/when that attack occurs. In this way, cyber security risk components are evaluated and prioritized so that the organization can address them.

At a high level, there are several cyber security risks businesses should consider:

  • Unfriendly governments can launch external threats or cyber espionage in an attack vector known as cyber-terrorism, and governments will work to protect against this risk. The equivalent would be the theft of intellectual property or personal data stored by the organization at the commercial level.
  • Internal threats are caused by staff not understanding cyber security and downloading software with malicious code or falling prey to phishing attacks. They can also be as simple as leaving back doors in software and databases by not changing out of box default passwords.
  • Developers may often leave unintentional loopholes in software and databases, making it easy to gain access. While some may be internal developers working on custom code, it’s also possible to purchase poorly secured applications.
  • Poor configuration of commercial products and infrastructure is also at fault for many breaches. For example, certain firewall ports are known points of entry if not properly secured and monitored.
  • Vendor or service provider threats can be introduced when purchasing cloud services or SaaS solutions if the vendor doesn’t take proper care to secure their data centre or software.
  • Compliance violations can occur if data isn’t properly protected according to regulations like GDPR and HIPAA. These generally occur because the cyber security team does not take time to educate employees and protect data appropriately.

These sources of risk can open the door, enabling cyber criminals to introduce malicious software, like viruses, trojan horses, ransomware, phishing attempts or denial of service attacks. If these result in data loss that must be disclosed, they can cause loss of reputation and business or, in worst cases, high fines for lack of compliance. Cyber security and risk programs should consider these risks as well as the risk of losing access to critical systems in the event of ransomware attacks, damage, or lost data, as well as critical systems, becoming unstable or failing completely.

In addition to understanding the sources of attack, cyber security and risk management programs should consider the threats themselves and the likelihood of those threats being used in the organization.

Who Should Own Cyber Security Risk in My Organization?

Organization leadership defines the ownership of cyber security risk for their organization, and cyber security risk governance is no exception.

There are two common sources of ownership, the CISO or GRC function.

  • The CISO is the Chief Information Security Officer for the organization and is responsible for setting and managing information security vision and policies for the organization, including cyber security risk.
  • The GRC (Governance, Risk and Compliance) function often has oversight into all areas of risk management, organization-wide. 

If an organization doesn’t have a dedicated GRC function or CISO, they should consider attracting an executive board member with a cyber security background and establish a board-level committee to fulfill this area of responsibility.

Cyber Security Risk

While the CISO or cyber security manager can be engaged in cyber security risk analysis efforts and mitigation planning, it is helpful to know that a broader body will hold the person in that role accountable for the success of the program. The CISO or a lower-level cyber security manager needs to maintain a cyber security risk analysis and have a program to address the results by mitigating critical risks. Without accountability, the person in the role may or may not perform these tasks adequately.

Regardless of who owns the function of cyber security and risk management, it needs to be understood that everyone in the organization owns cyber security risk. As most attack vectors use social engineering to get users to take actions that can unleash malicious code, every computer user must understand cyber security risk and their role in preventing cyber-attacks. In a similar way, everyone in IT needs to take a level of ownership, understanding the cyber security practices and ensuring they follow them to avoid exposing the organization unnecessarily.

Impact of Cybersecurity Risk

The extremely fast growth of digital technologies as a means of driving value to the organization, combined with the increased profit enjoyed by cybercriminals, continues to drive increased risk from cyber-attack. This keeps CIOs awake at night, wondering if their organization is next. While the cost may be high, it’s not the only cost of a cyber-attack: loss of customer trust, reputation and recovery time may be more of a loss.

When the cyber security risk governance program is ineffective, system unavailability and data loss are the organization’s two largest risks.

Data loss can be an expensive problem: in many countries, particularly where GDPR is in place, companies must report breaches that result in theft of personal identifying and/or credit card information. Not only does this negatively impact their reputation, but a complaint by a victim of the breach can also lead to heavy fines. Additionally, the company may be required to pay for identity theft protection services for all impacted customers, another significant cost.

System availability and data loss due to ransomware attacks are also a large risk. With high ransoms cybercriminals collect through this activity, it has a high probability and high impact, placing it high on the risk register. Many companies have refused to pay the ransom and taken weeks or months to recover availability. Some never recover all their data completely.

Understanding the potential impact to the organization is part of an effective cyber risk governance program. The program will also consider the impact and likelihood of a cyber attack for each environment so that those with the highest impact can be protected first.

That effort might look something like the matrix below:

Risk

Likelihood

Impact

Theft of personal identifying information from our customer sales website

High: PII is attractive to cybercriminals due to its high resale value

High: financial and reputation loss, the potential of large fines

Denial of service attack on the customer sales website

Medium: Could be done by dissatisfied employees or customers

High: Performance and Unavailability

Ransomware attack on operations

High: high ransoms collected

High: failover systems may be impacted as well

Theft of employee information

Medium: encryption makes data unusable if stolen

Low: due to encryption and ability to manage employee opinion

Even if the data looks different from this broad example, the most important part of this exercise is to understand the impact of cyber-attack on each system within the organization. Teams can look at general impacts in the industry, but the impact of an IoT device breach at a power plant is huge compared to a similar breach in a warehouse assembling orders.

Managing Cyber Risk

The CISO or other cyber security manager should then ensure common cyber security risk management activities are performed:

  • Developing cyber security and risk management policies and ensuring procedures and testing are in place to support them.
  • Penetration testing by an external party to ensure infrastructure is appropriately secured. This testing can reveal weaknesses missed by the organization.
  • End-user training programs are developed and delivered, as well as user-testing to ensure they are effective.
  • Ensuring teams document safe configurations for the infrastructure and/or applications they support and house these in a secure location where staff can access them during device or application configuration.
  • Implementing intrusion detection and monitoring systems and practices.
  • Implementing and configuring vulnerability management applications and programs to ensure new threats are addressed.
  • Developing data privacy and cyber security prevention programs that direct decisions concerning storing personal information, data encryption and retention periods.

These common activities need to be developed into an overarching program that starts with performing a complete cyber security risk assessment. Once the probability and likelihood of each potential threat is identified, the organization needs to create a roadmap for mitigating each of them. This mitigation program includes implementing and configuring the cyber security tools needed:

Intrusion Detection and Monitoring Systems

Intrusion detection and monitoring systems that can be configured to recognize patterns of activity that indicate an attack is in progress. These applications should be integrated into service management software to enable the automated opening of a security incident and alerting the responsible teams. These tools should be combined with the use of playbooks that enable the NOC (network operations centre) staff to react quickly when a security incident is opened.

Email Scanning

Email scanning and management systems that enable search for and remove emails containing known phishing attacks from inboxes before the users can open them.

Vulnerability Management Systems

Vulnerability management systems that scan the enterprise and identify known vulnerabilities based on the NIST cyber security threat database. When integrated with service management tools, these systems can use the CMDB to open prioritized remediation tasks depending on the risk to the environment.

Given the volume of work, vulnerability management entails, the CISO or cyber security manager needs to ensure funding and staffing are available to address known threats, but this is where the cyber security risk assessment can help. By understanding the risk to critical business systems, the organization can determine where to put their efforts, first dealing with the most likely and damaging threats. Cyber security risk assessments may also identify risks of low likelihood and impact and choose to have the cyber security owner sign off on accepting these risks vs mitigating them. This often occurs with legacy applications and systems that are difficult to secure and in low enough use the cybercriminals don’t frequently attack them.

Cyber security and risk levels vary from organization to organization, and the cyber security risk management program of the organization should take this into account, developing a program that works for their organization and managing cyber security according to their risk profile.

CG Technologies have helped many organizations with their business continuity and security risk management plans. They offer a range of services to protect your business data and IT infrastructure to prevent it from cyber attacks. Find out more.

Leave IT to us

With over 25 years of experience delivering exceptional services to 100’s of companies in the Greater Toronto Area (GTA), CG Technologies are confident we can deliver the same benefits to your organization – keeping you secure, delivering reliable and trusted IT solutions and expertise. Our industry-leading strategic IT consulting and IT solutions will allow you to focus on what matters most – your business.