Cyber Security: Risk Management
In my previous post, ‘Cyber Security: The Importance of Culture and Training’, we covered the basics of what defines cybersecurity and its importance. To recap, cybersecurity is the term used to convey the protection of your computer-based equipment and information from unauthorised access.
It is vital to recognise the risks involved with your information, and ensuring awareness of these risks and how to handle them is spread throughout the organisation. The first thing you can do to ensure information assurance is get the basics right:
- Download software updates
- Use strong passwords
- Delete suspicious emails
- Use anti-virus software
Spread awareness throughout the organisation by:
- Face-to-face presentations
- Training videos and DVDs
- Computer-based training (CBT)
- Visual aids
In the main body of this article, we are going to focus on the next steps to take in regards to risk management including what a ‘risk’ actually means. We will also look at how to go about getting your organisation certified in information security and the benefits this can bring to business.
Take a risk management approach to cyber security. You must understand what is directly at risk:
- Your money
- Your information
- Your reputation
- Your IT equipment
- Your services
Once you recognise just how much is at risk, it’s time to ask who can pose a threat to these assets of your business. A common misconception is that only malicious hackers or competitors are a threat. This is far from the truth. In fact, the most common reason behind security breaches is internal, meaning current employees and human error!
You must approach risk management in a secure way. The first thing is to understand what a risk actually consists of: It is the coming together of a threat to your business and a current vulnerability in your business. Steps to take:
- Understand what threats exist to your business – A threat is anything that can stop you doing business as usual for any reason.
- Understand your existing vulnerabilities – A vulnerability is any part of your business (equipment, processes, people, etc.) that can be exploited.
- Recognise which threats can expose which vulnerabilities – these are your ‘risks’.
- Perform a risk analysis – evaluate the probability of each of these risks coming to life, and the impact each one would have. This can be represented on a probability-impact matrix.
- Understand your business’ risk appetite – the level of risk (possibly a line on the matrix) under which you are willing to tolerate that risk happening (it does not pose a great impact on business, or it is simply too unrealistic).
- Apply suitable controls to mitigate the risks that are above your appetite level.
- Monitor all risks to make sure new ones don’t arise or exceed your risk appetite level.
To ensure a successful ISMS (information security management system), you must thoroughly step through three stages:
If you want your organisation to be officially given certification to show you are complying with information security requirements, there are more robust routes you can take. For example, ISO/IEC 27001 covers all the requirements of information security management systems (ISMS). You will be audited by a Certifying Body who is accredited to audit the ISMS. Once the audit is completed successfully, your organisation will be certified to ISO/IEC 27001.
Another example is Cyber Essentials, which covers the basics of cyber security in an organisation’s IT system. This will usually become a practical component of a wider-ranging cybersecurity posture.
The benefits of having professional certification are endless. A few of these are:
- Provide assurance
- Provide confidence (internal/external)
- Risk oriented
- Reduce costs (long term)
- Preventative management rather than reactive
- Holistic cultural shift (across the business)
Failure to raise awareness to the dangers of cyber security can lead to great financial loss, loss of reputation, lost trust of customers, legal penalties, as well as shutting down your business altogether.
Now ask yourself, is it worth the risk?