Technology is permeating all aspects of business at an increasing rate. New ways of conducting business processes, – remote access, BYOD (bring your own device) and now WFH (work from home) – are bringing about an incredibly broad and diverse domain of cyber risks that are here to stay.
An Enterprise Risk Management (ERM) program has to include cyber security risks as one of its key strategic risk components to be assessed and managed regularly, just as how financial or other business process related risks are measured, monitored, mitigated and reported.
This approach is really the crux of bringing in what is called as a new approach – IRM (Integrated Risk Management). There are a lot of proponents who have backed this and other three-letter acronyms pointing out the benefits of each and opining how the others have gone out of existence. In my opinion, a truly integrated view (call it by whatever acronym – ERM, GRC, IRM) of Enterprise Risk Management must consider all risk factors and different risk domains.
This brings us to the next question on how to assess, measure, monitor and report on cyber security risks.
Traditionally, a financial, regulatory or operational risk is classified and defined based on its “causes and effects”. Examples such as these are well known – what happens if the bank lending rate increases, what would be the impact on imported materials if the exchange rate fluctuates, where to source in the event of a critical supplier bankruptcy, why is our stockyard not insured for theft, what if there is a new regulation the imposes restrictions on trade, etc.
This leads to the next step of assessing, measuring and calculation of that risk. Normally risk managers with the help of business, measures the “impact” of that risk – either in monetary terms or qualitatively – and multiply this by the factor called “probability of occurrence”, “likelihood”, “odds of happening” – either in terms of percentage (0-100%) or in terms of risk scores. Low-impact events with high probability are given lower ranking as compared to high-impact events with low probability and can be represented in what are called “heat maps” to draw attention to the red areas requiring immediate attention.
Cyber security risk assessment challenges:
- Security experts and the CISO’s office are mostly caught up with measuring technical exposures, discovering vulnerabilities and evaluating tools, that they hardly spend time to see the connect with the business impact. The security teams and business – do not align their risk definitions in order to have their understanding at the same level.
- “Threats”, “Vulnerabilities and “risks” are many a times used interchangeably.
- “Threats” represent something that might happen. Natural threats like floods, earthquakes or tornadoes can be acted upon in advance based on weather forecasts or previous learnings. However, cyber security threats (conducted by threat actors or hackers) that aim to steal or destroy data or disrupt business operations are real fears that organizations have to be concerned about. Examples of such threats are very many and keep growing in different forms – viruses, ransomware, malware, phishing, social engineering, denial of service attack, data breaches, complete shutdown of assets, etc.
- “Vulnerabilities” (in the context of systems) represent weaknesses in hardware, networks or software. In business and other applications these vulnerabilities are normally patched up periodically by the vendor/ manufacturer and applied by the security organization. Other examples like unsolicited emails or phishing attempts also can make the system vulnerable to attacks. Unauthorized access (whether intentional or unintentional, whether by insiders or outsiders) to applications and data centers violates and bypasses security policies and the person/s can take advantage of the vulnerability.
- “Risks” are considered as those that can potentially harm the IT systems and business. Risk is a function of both “threat” and “vulnerability”, meaning that the higher the likelihood of the threat against a known vulnerability is seen as a high risk factor, as against a low level threat for a less vulnerable asset can be classified with a lower risk rating.
- Quantifying the business impact of a cyber security threat event is a very difficult task bordering on the impossible. Estimating the probability of its occurrence is even harder because of the evolving technological advances and new ways in which breaches can occur. Cyber security has always been considered as a tactical response to threats – either a security breach occurred or it did not. Thinking about what is the business impact of the risk of a threat occurring requires putting on a different thinking cap. Currently the majority thinking is that if a cybersecurity breach does not occur then it is not a risk to be addressed on priority.
- A big challenge today is that the technically-oriented CISO’s office understands the need for preventing security attacks but not how to express the ramifications of those attacks in business terms. Security experts understand and articulate that if, for example, a vulnerability in the network or an application is not patched up, there could be a threat of theft of database or network downtime. However, they are not able to put up in front of the Board or the CFO, a business-focused description like “setting up preventive measures will reduce the risk of exposure to the customer database, which if exposed will cost an estimated “x” amount of money in lost business, expenses and litigation” or “critical enterprise wide applications hacked through social engineering techniques have to be monitored as close to real-time to identify the attacker and the employee/s involved to prevent the risk of loss of financial results that could swing the stock market adversely by x%”.
- The above subjective assessment is only a starting point and can have many holes pointed in it. It is not straight forward like financial transactions that have honed the metrics for calculations – every cybersecurity breach is different, unprecedented and unpredictable with ever-changing technology.
- Many vendors offer their scorecards and applications that promise nice and jazzy scorecards. But behind all that there are tons of work to be done for ensuring meaningful data – identifying risk factors, classifying and documenting all the assets and feed it into one of theses systems.
Make a start in addressing the challenges
- Ensure that you present the importance of cyber security to the Board level executives, not by scary stories that happened recently at a different organization, but by articulating clearly the specific business objective that would be impacted if a particular threat is not addressed to mitigate or lower the risk, how this would be done and what would be the cost of mitigation. This would bring about clarity to both IT and business on why the budget needs sanction.
- Bring your IT team resources on the same page on understanding the context in which risk management has to be aligned at the enterprise level.
- Make sure everyone understands the various terms like threats, vulnerabilities and how risks can be rated or calculated – whether subjectively at first and then gradually move up the ladder to more complex metrics to quantify the same.
- Invest time in making and checking an inventory of all system and IT resources and document them for risk and control assessment plans. Make sure that acquired or merged organizations are included in the overall landscape assessment.
- Do not just focus on the “perimeter” risks (such as firewalls, sniffers, etc.) – there are already a host of tools that address these well at the technical level.
- Make sure to look at vulnerabilities in internal home-grown applications, legacy systems, ERP applications, user access controls, physical access controls to server rooms, etc. Addressing potential insider threats is equally important as identifying and preventing external attacks.
- Various logs streaming in from applications and audit logs carry a lot of information on activities and their patterns. Look out for tools and solutions that can help you collate and analyse them as close to real-time in a meaningful human readable form, so that actions can be taken.
- Performing what-if scenarios for possible breaches, use of artificial intelligence and machine learning algorithms applied on various log databases can help a lot in reporting and prevention, but it still requires human interpretation to make decisions.
- Conduct periodic penetration testing by third parties and ethical hackers to assess and measure the areas and level of vulnerability present in the system landscape.
- Be realistic in assessing how long it would take to mitigate newly discovered threats, rank them in the order of risk priority before committing to bring the risk down to an acceptable level.
To sum up, assessing cyber security risks, identifying threats and vulnerabilities is a continually evolving subject and is not an exact science. It is a new discipline that requires a strategic thinking and cooperation between top management, finance experts and the IT / CISO’s office.