A crucial piece of building a cyber resilient organization is taking a risk-based approach to decision making. You need to balance risk against rewards, and manage cybersecurity risk in a way that is consistent with your organization’s objectives. Having an effective Risk Management Program can ensure your organization’s resilience.
Risk management is the process of establishing your risk appetite and tolerance, then assessing, mitigating, and monitoring risk on an ongoing basis. Risk assessments are an integral part of a strong Risk Management Program. After you’ve identified the system (application, function, or process) that you want to assess, you must characterize that system and determine the viable threats. In general, there are five major threats you should consider.
#1. Unauthorized Access
Unauthorized access is fairly straightforward. Someone is able to get access to data they don’t have authorization to access. According to USLegal.com, unauthorized access to a computer entails approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent. This could be from a direct hacking attack / compromise, malware infection, or internal threat, and may be malicious or accidental.
#2. Disruption of Service or Productivity
Disruption of service or productivity is a threat because you can’t use your data, and business typically comes to a halt. A common cause is a Distributed Denial of Service (DDoS) attack, where a machine or network resource is flooded with requests to the point where the system is overloaded and is unavailable to legitimate users.
#3. Data Leakage
Data leakage is the unintentional exposure of information. Some of the primary contributors from a control standpoint that lead to data leakage are (1) no restrictions on the use of USB and CD ROM drives; (2) allowing access to personal webmail from corporate connected computers; and (3) not implementing a secure email solution that can detect common information types and block or automatically encrypt outgoing emails.
#4. Data Loss
Data loss refers to the risk that information is destroyed by failures or neglect in storage, transmission, or processing. We find this threat less frequently than in the past because organizations are doing a much better job of backing up and replicating their data to safe locations.
#5. Misuse of Privilege
Misuse of privilege is basically using your credentials to do things that you are not authorized to do – an authorized user doing unauthorized things. It has a couple of different intended meanings. One is that privileged user accounts (e.g. administrators) use their elevated credential for their own financial gain, malice, or spite. It also applies to a misuse of any privileged access done by anyone with access to information within your organization (e.g. employees, interns, vendors, etc.). Environments can be very fluid, people are coming and going all the time, so this can be difficult to keep track of.
When considering cybersecurity threats, it’s also important to think about the actors behind the threats. The Hollywood version of the lone hacker does not exist. Today cybercrime is big business. Cybercrime-as-a-service is a thriving services economy, fueled by a global marketplace featuring a breathtaking range of services. Little skill is required to become a very successful cybercriminal.
Being aware of the threats you’re facing is just the first step. You then need to evaluate what could go wrong, the likelihood of such an event occurring, and the harm if it did. Finally, you need to either accept the level of risk or take steps to mitigate the risk. Taking this type of risk-based approach to cybersecurity can help you make more informed choices that can ultimately strengthen your cyber resiliency.
Learn more about risk assessments in our blog post, 6 Steps to a Cybersecurity Risk Assessment.