Features 07.02.2023
It’s hardly setting the world alight by announcing that determining cyber risk is crucial to a successful cybersecurity response. Kathryn Pick helps to identify how an organisation goes about identifying where that risk lies
Cybersecurity risk awareness is higher than ever, according to research from Gartner. And in number form, that means a 30% increase in board members considering cyber a business risk. That’s at least one thing that we can thank COVID for. That rare silver lining came as the pandemic saw a huge increase in remote working, exposing company networks to more threats than ever before.
The consequence was quite the leap in realisation. In a 2022 survey, 88% of board members said cybersecurity was viewed as a business risk, up from 58% in 2016. The trickle-down effect is that more than half of organisations (57%) said they were increasing the education of senior stakeholders on the value of security and risk management.
But acknowledging the threat is only the first stage of the process. Next, firms of all sizes need to take steps to determine their risk and work out how to tackle it.
It’s a fool’s game to believe only certain size companies need to worry about cyber threats, although this is a false sense of security many are guilty of. Maxine Holt, senior director of cybersecurity at Omdia, says size doesn’t matter. “Many of these threats are automated,” she says. “So it’s not a case of ‘being picked’; more that your organisation stands as much chance as the next of succumbing to a security incident or breach.”
Tony Lock, director and analyst at Freeform Dynamics, agrees that every company is vulnerable, regardless of size. “General complexity and the number of people, processes and system involved will likely go up with size,” he contends, “but the need to have the right people in place to take responsibility and handle events is essential, even in a small firm, as is the need to test, learn and test again, and again, and again.”
Mike Small, senior analyst at Kuppingercole analysts, adds that an organisation’s IT systems and applications hugely dictate its ability to operate and demonstrate resilience. He also adds that the level of vulnerability lies not in the “size of the organisation” but in the “value of the data you hold.”
Is that enough to convince you that regardless of the size of your business, it’s time to address cybersecurity head-on? If not, we hope your head doesn’t get too sore in all that sand…
Knowing you have cybersecurity risk is part one. The second part is determining what that looks like, and that’s a little more complex. So to help you on that mission, we asked the experts what should come first when determining cyber risk.
“In a 2022 survey, 88% of board members said cybersecurity was viewed as a business risk, up from 58% in 2016”
Freeform Dynamics’ Lock says it’s all about knowing where you stand before embarking on any tools or processes. “Start at the beginning,” he says. Simple? Yes. But often overlooked. “Make sure you have a complete and up-to-date picture of all business operations, the IT and intra-business linkages, the people involved and operational processes. This will take effort, but without doing so, things can be overlooked.”
Small Kuppingercole’s Hall says there are three unwanted outcomes from a cyber attack, and a good starting point is understanding those three crucial points.
“First up is if a business becomes unable to operate some or all major functions,” he explains. “For example, the recent ransomware attack on Royal Mail meant that it could not process mail
leaving the UK.
“Second is a failure to comply with legal or contractual obligations.” For this example, he points to data breaches and the British Airways hack where customers’ details were stolen. “That leads to negative publicity, monetary penalties and the costs of investigating, rectifying and defending as well as compensation to affected parties.”
Third, Small continues, “is the loss of intellectual property or other important data such as customer or price lists.”
Omdia’s Holt has clear and actionable advice for identifying and acting on risk. Her methodology is to determine which risks are the most pertinent to an organisation and then decide whether to “accept, mitigate, or transfer the risk”.
“Risk acceptance generally depends on the impact [of the potential threat]; if the impact of a risk is high, then acceptance tends to be avoided, with organisations then deciding to mitigate or transfer the risk,” she explains.
“Examples of mitigation include putting in place security controls,” which can be a combination of people, processes, and technology. On the transferring risk option, she offers cyber insurance as a solution.
Once these ducks are in a row, categorised by ‘accept’, ‘mitigate’ and ‘transfer’, what happens next?
Lock suggests carrying out a range of what he describes as “thought experiments” to get to grips with how the company is already operating regarding cybersecurity. For example, he advises asking questions like, “What if? What would happen if? How would we respond if?”
“Then you can see if the company has answers, and preferably tested processes to react” in the event of a cyber incident, he says, highlighting disaster recovery as pertinent.
Other practical steps Small recommends include building protection against the threats, setting up detection systems for said threats, and ensuring you have a response plan.
“Implement good cyber hygiene,” he advises. “Training (such as how to detect phishing attacks), processes to ensure that systems are properly secured, implement the appropriate technologies needed and keep them up to date. Back up your data.” But that’s not all. “Implement or outsource the processes and technologies to detect when your organisation is under attack. The earlier you detect, the better prepared you are to minimise impact.”
There is more to think about than just technology, however. A failure to understand this has left many business leaders vulnerable. “IT is now so interwoven in many business operations that this is only partly about IT,” says Lock. In reality, “it is mostly about process, including who can trigger events and who handles internal and external communications.”
Understanding the most common cyber threats impacting businesses is a must. However, when we asked Lock to share his take on the most common cyber threats, his answer was somewhat alarming. “All of them,” he said. Well, that’s just great…
“Cyber threats have become industrialised,” he explains. “This means that all types of cyber threats can target any organisation. Clearly, ransomware is very prominent now, but all other types of threats continue to evolve, and new attacks and vectors are being created continuously.”
Indeed, every expert we interviewed for this feature declared ransomware the top identifiable risk. If you’re not entirely familiar with what ransomware is, it’s where hackers put malicious software onto your system, blocking computers or applications until you pay a financial ransom to hackers. Once upon a time, it was deemed an attack carried out on large corporations, but as explored in our The Chronicles of Cyber Incident article, organisations as small as a veterinary practice with a handful of staff are now being targeted and consequently put out of business.
Holt states, “Not being prepared for ransomware means compromising the confidentiality, integrity, and availability of the information you use to operate your organisation.” However, he does add that “there are many more threats for organisations to be aware of, to ensure that the information they use to remain operational is consistently adhering to the information security confidentiality, integrity, and availability principles.”
If you’ve got a good idea of where the business now stands and which risks might be posed, it’s time to turn your attention to people.
“The fundamentals are to ensure that roles, responsibilities and the communications channels between people are documented, understood and tested,” says Lock.
“Getting senior people to take responsibility and practise how to recognise ‘an event’ and how to respond is key.” He advises routinely questioning whether your company has these things in place and when they were last tested. “It is possible, maybe even likely, that most companies, regardless of size, may need external support and possibly even managed services to tackle incident protection, response and recovery,” he says.
Small agrees, adding: “It is sometimes thought that dealing with a cyber incident involves only highly-specialised technicians. However, since a cyber incident or data breach can have far-reaching consequences for an organisation and its customers, many people with different roles across the organisation are involved. It is important that the team can rapidly be assembled and that its members are well prepared.”
“Getting senior people to take responsibility and practise how to recognise ‘an event’ and how to respond is key” Tony Lock
Holt believes that security risk assessment and management is a specialist role companies should consider recruiting for or outsourcing. “Understanding the cyber threat landscape requires security expertise, as does determining the likelihood and impact,” she says. “However, you don’t have to have these skills in-house; many organisations use external parties and specialists to help them.
“There are specialist firms to support organisations of all sizes,” she continues. “Also, many organisations look to service providers to support them here too.”
If you decide to manage cybersecurity in-house, Holt recommends doing plenty of research to determine your requirements. “Be aware that the job market for security professionals is extremely tight and therefore extremely expensive,” and that’s if you can find the right person, she adds, “which is another reason that external firms and service providers are so often used.”
Perhaps the most important thing to remember once you’ve worked out your risk, implemented plans, and hired the right staff or specialist providers, is that you have to keep it up and prepare for the future too.
Holt says: “Security management is an ongoing challenge. Many organisations use service providers or specialist companies to help them understand and manage security risks. It pays to have someone at an organisation with the lead relationship with any external providers supporting you with risk.”
“Start by making sure the Board, NEDs and C-Suite recognise they have responsibilities to the business and may need to invest in protection, systems, services and training,” adds Lock.
“Put people, resources and processes in place to keep cybersecurity under review and monitor risks as the business itself changes over time and as threat vectors evolve.”
Cybersecurity for NEDs and the C-Suite is an ongoing operational fact of life, states Lock. “It should not be looked at as a one-off project.”
And therein lies another critical takeaway: Cyber threats are constantly evolving, and, as Small concludes, you cannot afford to believe that your cyber defences are done and dusted once and for all. “You need to keep re-evaluating and improving your cyber protection processes and technologies,” he says.
Setting out on your journey to establishing your cybersecurity risk may seem daunting, but follow these steps, test test test, and remember to keep it up to date to give your company the best protection.
Features 14.05.2024
Education was the most attacked sector in the UK in the last six months
Features 09.05.2024
Top security leaders share their three biggest cybersecurity concerns
Features 07.05.2024
We used AI to clone the voices of myself and our CEO to launch a targeted phishing attack on an Assured team member!