This post discusses cybersecurity risk and cybersecurity risk management. In this post, you will understand the meaning of cybersecurity risk and the management of cybersecurity risks.

WHAT IS CYBERSECURITY?

Cybersecurity refers to the technologies, processes and practices designed to protect an organisation’s intellectual property, customer data and other sensitive information from unauthorised access by cybercriminals. Cyberspace is a virtual space that does not exist, but cyberspace is often used to understand digital weaponry against individuals’ and organisations’ digital devices. A cyber security threat is a malicious act that seeks to damage data, steal data, or disrupt digital life.

A cyber-attack is an attack against the digital devices of an organisation via cyberspace. Cyber-attacks include threats like computer viruses, data breaches, and Denial of Service (DoS) attacks. Many cyber-attacks are mere nuisances, while some cyber-attacks are severe. Cyber-attacks may threaten human lives. Cyber-attacks can cause electrical blackouts, military equipment failure, and national security secrets breaches. It can also result in the theft of valuable and sensitive data like personal and medical records. Hence, the need for a sound cybersecurity risk management framework with a firm.

TYPES OF CYBERSECURITY THREATS

There are ten common types of cyber threats, including:

1) Malware: This software performs a malicious task on a target device or network, e.g., corrupting data or taking over a system.

2) Phishing: This email-borne attack involves tricking the email recipient into disclosing confidential information or downloading malware by clicking on a hyperlink in the message.

3) Spear Phishing: This is a more sophisticated form of phishing where the attacker learns about the victim and impersonates someone they know and trust.

4) “Man in the Middle” (MitM) attack: This is a situation where an attacker establishes a position between the sender and recipient of electronic messages and intercepts them, perhaps changing them in transit. The sender and recipient believe they are communicating directly with one another. A Man in the Middle (MitM) attack might confuse an enemy in the military.

5) Trojans: Named after the Trojan Horse of ancient Greek history, the Trojan is a type of malware that enters a target system looking like one thing, e.g., a standard piece of software, but then lets out the malicious code once inside the host system.

6) Ransomware: This attack involves encrypting data on the target system and demanding a ransom to let the user access the data again. These attacks range from low-level nuisances to severe incidents like the locking down of the entire city of Atlanta’s Municipal Government Data in 2018.

7) Denial of Service attack or Distributed Denial of Service Attack (DDoS): This is a situation where an attacker takes over many (perhaps thousands) of devices and uses them to invoke the functions of a target system, e.g., a website, causing it to crash from an overload of demand.

8) Attacks on IoT Devices: IoT devices like industrial sensors are vulnerable to multiple cyber threats. These include hackers taking over the device to make it part of a DDoS attack and unauthorised access to data collected by the device. IoT devices are prime targets of malicious attacks because of their vast geographic distribution and frequently out-of-date operating systems.

9) Data Breaches: A data breach is a data theft by a malicious actor. Motives for data breaches include crime (identity theft), a desire to embarrass an institution and espionage.

10) Malware on Mobile Apps: Mobile devices are vulnerable to malware attacks like other computing hardware. Attackers may embed malware in app downloads, mobile websites or phishing emails and text messages. Once compromised, a mobile device can give the malicious actor access to personal information, location data, and financial accounts.

SOURCES OF CYBERSECURITY THREATS

Cyber security is relevant to all systems that support an organisation’s business operations and objectives and compliance with regulations and laws. An organisation typically designs and implements cyber security controls to protect information assets’ integrity, confidentiality, and availability. Cyberattacks are committed for various reasons, including financial fraud, information theft, activist causes, denying service, and disrupting critical infrastructure and vital benefits of organisations and governments. 

Common sources of cybersecurity threats include: 

1. Nations or states,

2. Cyber-criminals (including organised crime groups and hackers),

3. Business competitors,

4. Insiders (including unhappy insiders) and service providers,

5. Developers of substandard products and services, and

6. Poor configuration of cloud services.

To understand an organisation’s cyber risk profile, it is necessary to understand the information valuable to outsiders which might disrupt the company’s operation. Such information – including personally identifiable information such as names, social security numbers and biometric records – may result in financial and reputational damage to the organisation if it were to be acquired or made public. 

Hence, it is necessary to consider the following as potential targets of cyber-criminals: (1) customer data, (2) employee data, (3) intellectual property, (4) third and fourth-party vendors, (5) product quality and safety, (6) contract terms and pricing, (7) strategic planning, and (8) financial data.

WHO SHOULD BE RESPONSIBLE FOR CYBERSECURITY RISKS WITHIN AN ORGANISATION?

Cyber security risk management is generally set by leadership, including the management and board of directors. The company’s Chief Information Security Officer establishes and maintains the enterprise vision, strategy, and programme to protect information assets and customer data. When an organisation does not have a Chief Information Security Officer or other cyber security professionals, the company’s board members with experience in cyber security risk are valuable. 

It is, however, essential for all levels of an organisation to understand their roles in managing cyber risk. Vulnerabilities may arise from any employee. To ensure a firm’s information technology security, it is important to continually educate employees on avoiding common security pitfalls that can lead to data breaches or other cyber incidents.

DIFFERENCE BETWEEN CYBERSECURITY AND CYBER RESILIENCE

Cyber security protects computer systems, networks, information-technology infrastructure and data from disruptions, theft, modification, and damages. People tend to view cyber security from primarily a proactive standpoint, i.e., cybersecurity is often described and measured by how well it prevents various forms of deliberate maleficence by attackers. Therefore, major cybersecurity principles traditionally focused on authenticating users, implementing least-privilege authorisation, layering security countermeasures to create perimeters and zones, and coding with security in mind.

Conversely, cyber-resilience measures how well an entity can continue operating and delivering goods and services as intended and expected – regardless of cyberattacks, technical failures, and other significant cyber-disruptions of its business processes. Practical cyber-resilience principles tend to focus on business continuity planning; implementation of secure redundancy for critical business processes; assessment of potential attack surfaces; identification and assessment of attackers’ actions within compromised computer infrastructure, reaction to attacks; cleaning up and restoration of normal operations after a breach.

Summary of the difference between Cybersecurity and Cyber-resilience 

1) Cybersecurity encompasses technologies, processes and measures designed to protect systems, networks, and data from cybercrimes. Cyber resilience is an organisation’s ability to continuously deliver intended services, operations, and outcomes despite cyber events.

2) Cybersecurity reduces the risk of a cyber-attack and strives to protect entities, organisations, and individuals from the deliberate exploration of systems, networks, and technologies. Cyber resilience encompasses a broader scope, comprising cyber security, risk mitigation, business continuity and business resilience.

3) Cybersecurity solutions must work effectively without compromising the usability of the systems. Cyber resilience strategy requires a cultural shift as the organisation adopts security as a full-time job and embeds cyber-resilience best practices into day-to-day operations.

4) Any cybersecurity strategy must also include a robust continuity business plan to resume operations if a cyber-attack is successful. With cyber resilience, an organisation must become intelligent and agile to handle an actual and potential attack.

ROLES AND IMPORTANCE OF PEOPLE, PROCESSES AND TECHNOLOGY IN CYBER SECURITY

Cybersecurity is a sub-section of information security. There is a common misconception that cyber security is all about technology consisting of hardware and software. Technology is a massive part of cybersecurity, but technology largely depends on having proper processes and trained staff to use the technology effectively. 

Effective cybersecurity reduces the risk of a cyber-attack by deliberately exploiting systems, networks, and technologies. Hence, cyber security consists of technologies, processes, and measures to protect individual users and organisations from cyber crimes. Practical and robust cybersecurity risk management requires an information security management system built on three pillars: people, processes, and technology.

Now, let us describe the three pillars of cyber security.

1. PEOPLE

Cybersecurity is a business issue, and everyone has a role to play. People comprise executives, staff, and information technology (IT) personnel responsible for securing sensitive data. An organisation needs to consider these three groups of stakeholders to ensure that the firm meets its responsibility for the integrity of its data. 

There are two critical aspects to the people element as a pillar of cybersecurity. 

1. Everyone in the business needs to be aware of their role in preventing and reducing cyber threats, handling sensitive data and understanding how to spot phishing emails. 

2. There are specialised technical cyber security staff. They must be updated with the latest skills and qualifications to implement appropriate controls, technologies, and practices to fight the latest cyber threats. 

2. PROCESSES

Processes are critical to the implementation of an effective cybersecurity strategy. Processes consist of the business’s internal guidelines and controls to meet regulatory requirements. Processes are crucial in defining how the organisation’s activities, roles and documentation are used to mitigate the risks to the organisation’s information. 

3) Technology: Technology comprises the combination of hardware, software and protocols intended to protect an organisation from malicious intent. Technology is crucial when it comes to cyber security. Identifying an organisation’s cyber risks would be easy to manage and effectively control its cybersecurity exposures.

CYBERSECURITY RISK MANAGEMENT

Rather than doors, locks and vaults, information technology (IT) departments rely on strategies, technologies, and user education to protect an organisation against cyber security attacks that can compromise systems, steal data and other valuable company information, and damage a firm’s reputation. As the volume and severity of cyber-attacks grow, the need for cyber security risk management has also increased. Cybersecurity risk management provides a framework for applying real-world risk management to the cyber world. 

Cybersecurity risk management is essential to a modern risk management initiative. Cybersecurity risk management processes seek to mitigate and analyse the new risks that emerge through technological advancement. Cybersecurity risk management aims to protect a firm’s cyber assets, enhancing its resiliency against cyber vulnerabilities. Hence, cyber security risk management constitutes a valuable tool for benchmarking and categorising a firm’s cyber posture for continuous testing and standardisation based on individual business needs.

CYBERSECURITY RISK MANAGEMENT PROCESS

Organisations increasingly embrace that cybersecurity risk management should be integrated into the enterprise risk management context. Here are the four essential steps of a cybersecurity risk management process:

1) Identify cybersecurity risks.

2) Assess cybersecurity risks.

3) Evaluate cybersecurity risk mitigation measures.

4) Decide what to do about residual cyber risk.

CYBER SECURITY CONTROLS 

Cybersecurity controls are essential because hackers innovate innovative ways of executing attacks, aided by technological advancements. Hence, organisations must implement the best safeguards to strengthen their security postures. Developing a holistic approach entails adhering to international standards, complying with various regulations, and deploying defence-in-depth strategies. 

Cybersecurity controls are the countermeasures that companies implement to detect, prevent, reduce, or counteract security risks. They are the measures that a business deploys to manage threats targeting computer systems and networks. The controls keep on changing to adapt to an evolving cyber environment. As such, every organisation must understand the best controls for addressing its security concerns. 

The following guideline can assist a business in enhancing its cybersecurity controls.

1. Assess the size of the organisation.

2. Determine the scope of IT infrastructure.

3. Determine the security levels of IT assets and information systems.

4. Confirm investments in cyber security.

HOW TO CREATE A CYBER SECURITY MANAGEMENT PROGRAMME

To address cybersecurity risks effectively, identify the actual risks to your information systems and data. Here is a five-point plan to get you started on a cybersecurity risk assessment: 

1. Identify system and information security risks. 

2. Rank third-party contractors by the level of access and data volume. 

3. Identify potential threats to your information system. 

4. Conduct a risk assessment on each identified risk. 

5. Rank the list of threats.

CYBERSECURITY INCIDENT RESPONSE PLAN

The incident response plan should identify key people who will act in an incident and describe their roles and responsibilities. The incident response plan should also clearly articulate who is responsible for testing and implementing the plan. 

A cybersecurity incident response plan is a set of pre-written instructions to assist an individual or an organisation in responding to several potential scenarios, such as:

1) Information data breaches, 

2) Denial of service attacks, 

3) Firewall intrusion, 

4) Virus or malware infection,

5) Damage to equipment or premises, 

6) Insider threats, and

7) Loss of power or other technology failures.

CYBERSECURITY INCIDENT MANAGEMENT PROCESS

The process of managing a cybersecurity incident consists of six steps: 

1. Prepare staff and managers on how to handle potential incidents should they arise. 

2. Determine if an event is an IT failure or a security incident. 

3. Contain the incident and prevent further damage to systems and equipment.

4. Find the cause of the incident and remove the affected systems. 

5. Recover those systems after removing the threats. 

6. Document and analyse the situation to update, change or improve procedures.

CYBERSECURITY INSURANCE 

Cybersecurity insurance, known as cyber liability insurance and cyber risk insurance, can be purchased by businesses to hedge cyber security risks. Cybersecurity insurance is a vital tool in a cybersecurity risk management framework. Cybersecurity insurance is an insurance product designed to help companies hedge against the potentially devastating effects of cybercrimes such as malware, ransomware, distributed denial-of-service (DDoS) attacks, or any other method to compromise a network and sensitive data. 

Cybersecurity insurance is designed to mitigate losses from cyber incidents, including data breaches, business interruptions, and network damage. Cyber security insurance covers the cost for a business to recover from a data breach, virus, or other cyberattacks. It also covers legal claims resulting from the breach. Any company that stores sensitive data in the cloud or an electronic device should have cyber liability insurance. See the post on ‘Cybersecurity Insurance’ to learn more about cybersecurity insurance coverage, operations, and limitations.

See my video on Cybersecurity Risk and Cybersecurity Risk Management: https://youtu.be/tZ7LfWinbu0