Simplifying Enterprise Cyber Risk Management
Leaving your home is risky because anything can happen on your way to your destination. Staying at home is also risky, you could slip, fall or sustain an injury.
How about making investment decisions? This is where the understanding of risk comes alive for most of us because it’s our money.
Clearly, you can see why Risk Management is a non-negotiable skill every human being needs to possess. Life is risky!
Now, let’s stretch the conversation a bit further into the organizational scenario.
Risk Management is a significant concept in the world of businesses and organizations. Why? Because organizations face risks everyday.
This article will be zooming in on how businesses can manage information security risks or cyber security risks. Examples of information security risks range from data breaches, physical security threats, insider threats, social engineering attacks to ransomware attacks.
Let’s take a pause here to define what we mean by Information Security Risks?
Information Security Risks: The detrimental impact of a potential exploitation of vulnerabilities (weaknesses or gaps) in organizational assets (information, information systems) by threats (internal or external threats).
I like this definition because it clearly depicts the relationship between vulnerabilities, assets and threats in a security risk conversation.
Here’s an explanation of the terms highlighted in the ISR definition above.
- Threats are external or internal factors that can exploit vulnerabilities in an organization’s assets. Examples include cyber attackers, natural disasters, human error, and malicious insiders.
- Vulnerabilities are weaknesses in an organization’s assets that can be exploited by threats. They can include software flaws, misconfigurations, and weak access controls that could lead to unauthorized access, use, disclosure, disruption, modification or destruction of information or information systems.
- Assets are anything of value that is owned by the organization. They can include physical/tangible assets like information systems or logical/intangible assets like intellectual property.
Now that we have defined these important terminologies, we can move on to discussing the steps organizations can take to manage information security risks.
Step One:
Risk Identification:
This is the ongoing and recurring process of risk identification involves identifying potential threats and vulnerabilities that could harm an organization’s assets.
Some methods of risk identification include: interviewing stakeholders to gain insight on potential risks from their perspective, reviewing historical data on past security incidents to identify patterns/trends and using checklists of known threats and vulnerabilities to identify potential risks in an organization’s environment.
Step Two:
Risk Assessment:
Not all risks are created equal hence the need for assessing risks after identifying them.
The process of risk assessment involves estimating and prioritizing the risks based on the likelihood of occurrence of the risk event and the impact or consequence of the risk event occurrence.
This is where we introduce Risk Assessment Matrix — one of the ways of assessing risks in organizations.
“A Risk Assessment Matrix is a visual representation of potential risks affecting a business. It is based on two intersecting factors: the likelihood the risk event will occur and the potential impact the risk event will have.”
Source: auditboard.com
After assessing the risks with the matrix, prioritization can occur where risks with low impact and low likelihood are low-risk threats, while risks with high impact and high likelihood are high-risk threats.
High-risk threats should be addressed immediately, while low-risk threats can be addressed later.
Please, note that the results of any risk identification assessment will only be valuable in driving decision-making for the organization if it is situated within the context of the organization’s goals, objectives and mission.
Here’s a use case scenario to understand how this contextualization works: Company A, a leading pharmaceutical company’s core mission is to discover, develop, and deliver innovative medicines that improve the lives of patients worldwide.
An example of identified risks that should be assigned the “high-risk threat” descriptor during prioritization can be risks that could disrupt drug development, compromise patient data, or erode trust in the company.
It is high-risk because it impedes the fulfilment of the company’s core mission. They can’t improve the lives of patients worldwide if they lose the trust of the patients they are seeking to help because of a data breach.
Step Three:
Risk Treatment:
After identifying, assessing and prioritizing security risks, risk treatment involves taking steps towards the best course of action for risk resolution.
There are four ways to approach security risk treatment:
Risk Avoidance: This is simply eliminating the risk, thereby preventing the security risk from becoming a full blown security incident.
For example, an organization can decide to avoid implementing technologies that pose a high-security risk, such as certain cloud computing services or legacy systems.
Risk Acceptance: Here, the organization makes the decision to embrace the risk after careful consideration of the likelihood of the occurrence and the potential impact of the risk event.
For example, organizations can choose to accept the risk of using third-party vendors if the vendors provide valuable services and have demonstrated strong security practices.
Risk Mitigation: This involves implementing controls and strategies to reduce the likelihood of security incidents or minimize their potential impact.
For example, access controls, such as role-based access control (RBAC) and multi-factor authentication (MFA), restrict access to sensitive data and systems to authorized individuals.
Risk Transfer: Here, the burden of financial responsibility for security risks is transferred to a third party.
For example, an organization can purchase cyber insurance so that in the event of a security incident the cyber insurance policies can cover financial losses from data breaches, or cyberattacks.
In conclusion, I must mention that ignoring risks is not a strategy. Organizations that leverage technology to drive innovation and provide goods and services to the customers they serve must prioritize enterprise risk management as a strategy for business continuity and relevance.
