The Basics of a Cyber Security Risk Assessment

The risks present for all businesses and organizations in the digital space are now widely acknowledged by company leaders. Not all of these professionals will need to understand every facet of cyber security and the various threats that malicious actors present through the internet, but they must always remain mindful of this issue’s considerable gravity.

Fortunately for them, that is becoming the case more often than not: According to the PricewaterhouseCoopers (PWC) 2017 Global State of Information Security Survey, 52 percent of the report’s 10,000 overall respondents – CEOs, CFOs, IT directors and other leaders from companies all over the world – stated that they had detection systems in place to uncover cyberthreats. This is a considerable increase from the state of business cyber security about a decade ago, when hacking was a known quantity but wasn’t taken seriously as something that could greatly imperil an organization in a matter of seconds. Fewer organizations, however, conducted more in-depth cyber security measures – specifically, risk assessments. Approximately 48 percent of respondents to the PwC survey engaged in vulnerability assessments, and only about 47 percent opted to conduct threat assessments.

These figures might, at first glance, appear to be negligible decreases from the aforementioned 52 percent of respondents whose businesses use cyberthreat detection, but there is ultimately a significant difference: Detecting malware, trojans and exploits derived from email phishing scams just before or right at the moment it penetrates a network is beneficial, but nonetheless limits the efficacy of its problem-solving, as it takes mere seconds for the strongest and most devastating viruses to start doing damage. With that in mind, IT and information security professionals – as well as those considering a graduate degree in the cyber security field – must know the ins and outs of high-end cyberthreat assessment measures.

Principles of risk assessment

While the specific steps and processes of a risk assessment may vary – these core concepts can serve as a reasonable roadmap:

• Take stock of the system: its size, number of hardware- and cloud-based access points, partner organizations and vendors, what information is stored and shared and its sensitivity. For example, a multinational bank is going to prove considerably more attractive to a hacker than a freelance photographer selling prints on a personal website.
• Look at potential threats: According to Sage Data Security, in addition to hacker intrusions or data breaches executed by disgruntled employees, one must also consider breaches resulting from human error, be it poor data backup, insufficient encryption and data traveling through unsecured channels.
• Analyze the environment: This step involves the examination of controls governing factors like administrator access, user authentication and provisioning, infrastructure data protection, continuity of operations and others. How vulnerable are these individual controls to the threats an organization is most likely to face?
• Likelihood: , Consider the probability of each breach type and its point of origin. This can, depending on organizational or network complexity, involve dozens of breach/source pairings.
• Final risk assessment: Sage Data Security recommended multiplying the likelihood of breach against its resultant damage to determine a risk rating. For example, if an organization is likely to experience breach attempts due to the valuable information its handling and the results of such a breach would be catastrophic, the business has an extremely high risk rating.

A novel concept?

According to a January 2017 report by the Department of Commerce’s National Institute of Standards and Technology (NIST), a lack of guidance – specifically, industry-standard or government-regulated best practices – has impeded the broad implementation of cyber security risk assessments throughout a majority of industries.

This itself has stemmed from, in part, what the NIST report calls “…a fairly fixed approach due to privacy laws and regulatory policies that have prescribed precise regulations to which an organization must adhere (e.g., providing notices and obtaining consent). Assessments, therefore, tend to be focused on compliance rather than the effectiveness of achieving a positive outcome for privacy.”
In certain industries, the lack of regular risk assessments is more staggering than others: According to The National Law Review, recent research found that 26 percent of investment management firms didn’t conduct such assessments on any consistent basis, and 57 percent of them didn’t conduct either penetration tests or vulnerability scans.

Changing regulatory climate

Guidance that didn’t exist at the time the NIST released its above-mentioned report has, in part, arrived, in the form of a May 2017 executive order, mandating that all government agencies adhere to any and all risk assessment and management standards that NIST has created. While this does not affect the private sector, success observed in this arena could mollify any dubiousness that leaders of companies and organizations might currently have.

As technology changes and grows and our reliance on it increases, hazards to it become greater threats than ever. Assessing breach and malware risks well in advance of their occurrence similarly becomes more important as well.

Recommended readings:
Why companies everywhere are boosting cyber security efforts
What we learned from infamous hacking incidents

Sources:

http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/assets/gsiss-report-cybersecurity-privacy-possibilities.pdf

http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf

https://www.sagedatasecurity.com/blog/6-steps-to-a-cybersecurity-risk-assessment

http://www.natlawreview.com/article/sec-issues-cybersecurity-risk-alert-ransomware

https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal