Cyber security risk analysis
September 21, 2020
Cybersecurity article series:
- Cybersecurity risk analysis
- Staff training
- Detecting a breach and immediate action
- Recovering from a breach
Cybersecurity risk analysis
The first in our series of articles on cybersecurity will cover aspects of risk analysis for your business. Risk analysis is something that everyone in the world of regulatory compliance and AML is familiar with and deals with every day. For the most part though, our focus tends to be on external risks like new clients, businesses and industry practices. When performing a risk analysis on our assets in relation to cybersecurity, we must also have a clear focus on internal threats.
The first step in managing your security risk is identification. Knowing the threats that have the potential to cause a negative impact to your business is essential in minimizing those impacts. Brainstorm with as many of your staff as you can, put together working groups and organizational surveys and look back at historical information to get the entire picture of what could go wrong. It is important not to leave anything out here, although some of the ideas of what might go wrong may seem unlikely to occur, it is better to record the risk and then assess the potential impact later. Once you have a list of risks relevant to your business, that list can be the start of your risk register.
You can add as much more information as you would like to your risk register but at a minimum you should include:
- A description of the risk
- The probability of each risk occurring
- Expected impact if the associated risk occurs
- Steps taken to mitigate the risk
- A history of any previous events involving the risk, including the impact of the occurrence, if the controls were effective and if any further steps were necessary.
With a risk register started you can begin to assess the probability of each risk occurring and the severity of the impacts. The nature of your business will determine how great the possibility of loss is for each risk you have identified. For example, a law firm will hold a huge amount of Personally Identifiable Information (PII) on their clients, whereas a bank or other financial institution will also hold financial records and account information. Since the GDPR compliance deadline of May 25th 2018, over 59,000 data breaches were reported to the EU’s supervisory authorities, and some levied hefty fines. Keeping your client’s PII and account information secure is not just ethical, it could have serious regulatory and financial consequences. Accurately assessing the impacts of risk to your business has never been more important. Qualitative risk assessments are much more subjective but will help to determine the most significant risks. Quantitative risk assessment should be used to describe the impact of a risk in financial terms and can help in determining a budget for risk mitigation. Both methods should be used for a better overall picture of the potential impacts to your business.
Putting in place measures to control and reduce risk is arguably the most important step in the process of cyber-risk assessment. A simple control that we all have in place already is forcing personnel to use a password to log in to their devices and accounts, but how effective is that control if someone has a post-it note with the password they use for all of their accounts stuck to their monitor? There are of course many other ways in which you can have someone log in to their accounts without a password, for instance using biometrics or tokens, but implementing the hardware and software needed for those systems can be costly. As you assess the impacts of risks to your business and the potential impacts they have, you will need to ensure that the costs associated with any controls you decide on are not greater than the financial impact of the risk itself. Why buy a $2000 alarm system for a $500 car? Of course there are more cost-effective controls to consider before spending more than you can realistically budget.
Once you have assessed the probability of a risk occurring, the potential impact of each one, and developed some methods of control, your risk register should be filled out with this additional information.
A sample risk register might look something like this:
|0001||Phishing emails||High||High||Email filters, External email notifications, Staff training||4/12/18 All staff received and reported suspect email, controls effective, no impact|
|0002||Brute force password attacks||Low||Very High||Strict password policy,Multi-factor authentication|
|0003||Hardware theft||Low||High||Building access log,Access card control,Device locks,Remote device wiping enabled||7/9/18 Laptop stolen from vehicle, not recovered, device was wiped remotely, limited impact|
Multi-factor authentication is a very effective method of increasing security for our assets and is often free to implement, especially for web-based accounts. Any malicious actor who manages to obtain a password will be unable to breach an account without the second method of authentication. Enforcing a strong password policy is also easy and effective. Increasing the complexity of passwords makes it more difficult for attackers to ‘brute force’ an attack, which involves trying every possible combination of characters in an attempt to guess the password. To increase complexity, you should make passwords contain at least 8 characters (the more the better), they should include both upper and lower case letters, at least one numeric character and at least one special character. Password policies should also ensure passwords do not include usernames, ID numbers, birth dates, telephone numbers, common dictionary words, simple patterns of letters (like QWERTY) or any other personal information that could be easily obtained or guessed.
Just as important as having controls in place to secure logical access to your systems and data are the controls required for physical access to those same assets. Having secure passwords means little for your security if a device is left unsecured and unsupervised. A simple control can be using a timeout function on a device and requiring a password when the device wakes up.
The most important risk control measure you can have in place for your business is training. Staff who are trained and aware of the risks to your systems and data are the first and best line of defence against them. A staff member who has been trained to quickly recognise a phishing email and immediately report it can save you time and money compared to the one that clicks on the link and unknowingly downloads malware onto your network. If you don’t have one already, implementing an effective cyber awareness/security training program for your business should be high on your list of priorities as it can help to mitigate many of the risks you will identify. However, it only takes one unengaged staff member to undo the achievement of a robust training program, so it is important to ensure you utilise other controls as back-ups in the event that human error impacts your business. Training will help your staff to understand the risks, why other controls are in place and the consequences of subverting those controls. Staff training will be covered in detail in the next article in this series.
Once you have decided on and implemented the controls you need to reduce or remove associated cyber risks, it is just as important to monitor and review the risks and controls in your risk register to ensure that they are working. Levels of risk can change, and new threats can emerge creating the potential for uncontrolled impacts to your business. Continuous monitoring will keep your business up to date and can provide peace of mind that your assets are as secure as you can make them.