Cyber security risk analysis

Cybersecurity article series:

  • Cybersecurity risk analysis
  • Staff training
  • Detecting a breach and immediate action
  • Recovering from a breach

Cybersecurity Risk Analysis

The first in our series of articles on cybersecurity will cover aspects of risk analysis for your business. Risk analysis is something that everyone in the world of regulatory compliance and AML is familiar with and deals with every day. For the most part though, our focus tends toward external risks like new clients, businesses, and industry practices. When performing a risk analysis on our assets in relation to cybersecurity, we must also have a clear focus on internal threats.

Know the Threats

The first step in managing your security risk is identification. Knowing the threats that have the potential to cause a negative impact to your business is essential in minimizing those impacts. Brainstorm with as many of your staff as you can. Put together working groups and organizational surveys. Look back at historical information to get the entire picture of what could go wrong.

It is important not to leave anything out here. Although some of the ideas of what might go wrong may seem unlikely to occur, it is better to record the risk and then assess the potential impact later. Once you have a list of risks relevant to your business, that list can be the start of your risk register.

Create a Risk Register

You can add as much more information as you would like to your risk register but at a minimum you should include:

  • A description of the risk
  • The probability of each risk occurring
  • Expected impact if the associated risk occurs
  • Steps taken to mitigate the risk
  • A history of any previous events involving the risk. Include the impact of the occurrence, whether the controls were effective, and whether any further steps were necessary.

With a risk register started, you can begin to assess the probability of each risk occurring, along with the severity of the impacts. Meanwhile, the nature of your business will determine how great the possibility of loss is for each risk you have identified. For example, a law firm will hold a huge amount of Personally Identifiable Information (PII) on their clients, whereas a bank or other financial institution will also hold financial records and account information. Since the GDPR compliance deadline of May 25th 2018, the EU’s supervisory authorities have reported over 59,000 data breaches. Some of which levied hefty fines. Keeping your client’s PII and account information secure is not just ethical, it could have serious regulatory and financial consequences.

Qualitative vs. Quantitative Risk Assessments

Accurately assessing the impacts of risk to your business has never been more important. Qualitative risk assessments are much more subjective, but will help to determine the most significant risks. Quantitative risk assessment should be used to describe the impact of a risk in financial terms. These can also help in determining a budget for risk mitigation. You should use both methods for a better overall picture of the potential impacts to your business.

Putting in place measures to control and reduce risk is arguably the most important step in the process of cyber-risk assessment. A simple control that we all have in place already is forcing personnel to use a password to log in to their devices and accounts. But how effective is that control if someone has a post-it note with the password they use for all of their accounts stuck to their monitor?

There are of course many other ways in which someone can log in to their accounts without a password. For instance, using biometrics or tokens. But it can be costly to implement the hardware and software needed for those systems. As you assess the impacts of risks to your business and the potential impacts they have, you will need to ensure that the costs associated with any controls you decide on are not greater than the financial impact of the risk itself. Why buy a $2000 alarm system for a $500 car? Of course there are more cost-effective controls to consider before spending more than you can realistically budget.

Once you have assessed the probability of a risk occurring, the potential impact of each one, and developed some methods of control, your risk register should be filled out with this additional information.

A sample risk register might look something like this:

ID#DescriptionProbabilityImpactAction/ControlsHistory
0001Phishing emailsHighHighEmail filters, External email notifications, Staff training4/12/18 All staff received and reported suspect email, controls effective, no impact
0002Brute force password attacksLowVery HighStrict password policy,Multi-factor authentication 
0003Hardware theftLowHighBuilding access log,Access card control,Device locks,Remote device wiping enabled7/9/18 Laptop stolen from vehicle, not recovered, device was wiped remotely, limited impact

Enforce a Strong Password Policy

Multi-factor authentication is a very effective method of increasing security for our assets. It is also often free to implement, especially for web-based accounts. Any malicious actor who manages to obtain a password will be unable to breach an account without the second method of authentication.

Enforcing a strong password policy is also easy and effective. Increasing the complexity of passwords makes it more difficult for attackers to ‘brute force’ an attack, which involves trying every possible combination of characters in an attempt to guess the password. To increase complexity, you should make passwords contain at least 8 characters (the more the better). They should include both upper and lower case letters, at least one numeric character, and at least one special character. Password policies should also ensure passwords do not include usernames, ID numbers, birth dates, telephone numbers, common dictionary words, simple patterns of letters (like QWERTY) or any other personal information that could be easily obtained or guessed.

Just as important as having controls in place to secure logical access to your systems and data are the controls required for physical access to those same assets. Having secure passwords means little for your security if a device is left unsecured and unsupervised. A simple control can be using a timeout function on a device and requiring a password when the device wakes up.

Prioritize Training

The most important risk control measure you can have in place for your business is training. Staff who are trained and aware of the risks to your systems and data are the first and best line of defence against them. A staff member who has been trained to quickly recognise a phishing email and immediately report it can save you time and money compared to the one that clicks on the link and unknowingly downloads malware onto your network. If you don’t have one already, implementing an effective cyber awareness/security training program for your business should be high on your list of priorities, as it can help to mitigate many of the risks you will identify.

However, it only takes one unengaged staff member to undo the achievement of a robust training program. It is important to ensure you utilise other controls as back-ups in the event that human error impacts your business. Training will help your staff understand the risks, the reason for controls already in place, and the consequences of subverting those controls. Staff training will be covered in detail in the next article in this series.

Monitor and Review

Once you have decided on and implemented the controls you need to reduce or remove associated cyber risks, it is just as important to monitor and review the risks and controls in your risk register to ensure that they are working. Levels of risk can change, and new threats can emerge, creating the potential for uncontrolled impacts to your business. Continuous monitoring will keep your business up to date. And, importantly, it can also provide peace of mind knowing that your assets are as secure as possible.

Sign Up For AML Grey Matters

Name(Required)
This field is for validation purposes and should be left unchanged.