Risk management can't be a one-and-done activity. Many organizations make this mistake. They do a risk assessment and then they say, “All right, we've checked that box on our compliance checklist.” And then they don't think about it again and get back to day-to-day operations—but all day-to-day operations involve risk. Everything relies on ensuring the business can operate safely and effectively. Therefore, cyber risk management must be a continuous process.
It comes down to this: there’s always a risk because the threat landscape is evolving on a regular and rapid basis. Also, because operating environments and the network landscapes are morphing frequently and organizations are going from cloud to multi-devices and hybrid environments, risk exposure is constantly increasing with all these changes. For example, every time a new server or new device is added to the network, a new potential risk is also added. With threat exposure being so dynamic, organizations should always be measuring their risk.
This is how NIST (National Institute of Standards and Technology) recommends cyber risk assessments should be conducted within the risk management process:
Rinse and repeat. I think this is a good guiding light to keep in mind. Below are some additional tips to add context for managing cyber risk.
Cyber risk is defined as the "risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems." To determine what risk is, a simple equation is used by tech professionals:
Threat x Vulnerability x Consequence = Cyber Risk.
This is a standard formula for determining risk, though some experts replace “consequence” with the word “impact.” Perhaps, the best word to use instead of “consequence” or “impact” in this equation is “damage.” So, when figuring out cyber risk, the team always needs to ask: “If the system/data is breached or becomes unavailable, how much damage will there be to our reputation or the bottom line?” Note: the type and extent of the damage can be different depending on the organization and its industry.
Another way of getting a complete and accurate picture of an organization’s cyber risk requires answering these three fundamental questions:
1. What types of threats are there, to be concerned about?
2. How vulnerable is the system or network to these threats?
3. What happens if threat attacks are successful?
Cyber risk assessments "are used to identify, estimate, and prioritize risk" to any organization’s operations, assets and individuals. The rationale for doing cyber risk assessments is that they can help organizations:
In many organizations, it’s assumed that responsibility for managing cyber risk just belongs to the IT and security teams, but this is incorrect. Cyber risk must be every employee’s responsibility. Risk should be managed—doing risk assessments and meeting compliance requirements—in totality of the organization’s overall risk, including physical risk and operational risk. Cyber risk management is a team sport.
To prepare for a risk assessment, identify the purpose of the assessment as well as the scope of the assessment. Then determine what assumptions are being made about the assessment as well as what constraints are associated with it. Next, the assessment groups need to pinpoint the sources of information to be used along with the risk model and analytic approaches to be used during the assessment.
There are eight questions that once they are answered will provide organizations with the guidance needed to successfully complete a thorough cyber risk assessment:
1. What are our organization's most important IT assets?
2. What data if compromised would have a major impact on our business whether from malware, cyberattack, or human error?
3. What are the relevant threats and the threat sources to our organization?
4. What are the internal and external vulnerabilities?
5. What is the potential damage if those vulnerabilities are exploited?
6. What is the likelihood of exploitation?
7. What cyberattacks, cyber threats, or security incidents could affect the ability of the business to function?
8. What is the level of risk the organization is comfortable taking?
Regarding question #8 about an organization’s comfort level with risk, it’s vitally important to have this discussed and documented because all board members and business leaders must accept some amount of risk. Often, the amount of risk organizations are willing to accept is based upon decisions made by the business owner or the CEO—not the organization’s cyber security leaders and experts. It’s important that all stakeholders are aware of this and exactly what the risk is.
When performing a risk assessment, there are six steps in the process:
1. Identify and prioritize assets.
2. Identify threats.
3. Identify vulnerabilities.
4. Identify and implement controls.
5. Prioritize risk.
There are several common pitfalls that could hinder or undermine an organization’s efforts to conduct an accurate cyber risk assessment. They include forgetting to address third-party risk and having tunnel vision regarding scope—focusing on one area versus looking at the bigger picture. Other possible errors are: assessing without having context, failing to assess regularly, not incorporating cyber risk into the organization’s overall risk, and relying solely on assessment tools—sometimes you need to go and actually talk to the humans.
It’s critical to determine who conducts a cyber risk assessment. Many organizations leverage their internal IT staff as the assessment requires IT staff with a deep understanding of how the digital and network infrastructures work. However, it’s important to have high-level executives and business owners that understand various information flows involved as well. Visibility across the organization is critical for a thorough cyber risk assessment. Some enterprises along with SMBs may want to hire third-party risk assessment specialists to assist them.