Cyber Security: The value of good cyber risk management

Risk management, across all disciplines, is of vital importance to businesses.  Cyber security is one critical element of risk and has clear implications if it is done poorly (or not at all).

If organisations misjudge risks, it can affect their business due to events in the real world –extreme weather conditions, disrupted supply chains, market movements, competitive positioning, foreign exchange rate shifts – can all affect business performance.  However, in many of these cases the risks faced are unpredictable and (importantly) accidental, they are the results of things happening that weren’t foreseen – by nature, this means that statistically they can often be quantified in terms of likelihood or impact.

Cyber security does entail an element of chance to managing the risks associated with it, however organisations also face deliberate acts that can cause impacts to materialise.  Adverse weather disrupting your business isn’t a conscious, purposeful thing; a hacker breaking into a website and stealing data is a deliberate and conscious act.

Cyber risks are diverse and failure to adequately manage them can lead to:

• Exposing data to hackers
• Suffering outbreaks of ransomware
• Allows malicious insiders to subvert systems or data
• Failing to detect or respond to incidents that occur
• Losing money or suffering downtime

Much has been written about security risk management in the past and this blog post doesn’t aim to supplement, summarise or supersede any of that.  Rather it presents three implications or benefits of  doing risk management well, rather than a negative story about getting it wrong.

If you do risk management well – you can take more risks

As a business, if you have good source data about the prevalence, costs or impact of risks you can prioritise which ones are more likely and need attention, and which are less likely or impactful.  So, your overall level of risk drops where you have mitigations, countermeasures, controls or checks and balances in place.

Where challenges are well understood, you can operate the business in a way that maximises opportunity and takes sensible risks that you can profit from if they turn a result and manage problems that occur.

Cyber security for remote working

A simple example might be around remote access.  Imagine you have a good technology approach to providing remote working facilities, with users issued with laptops that can be managed – encrypted hard drives, secure builds, reliable networking, strong authentication and good staff awareness programmes built around a mobile work force.

This means you can reduce office space and provide flexible working arrangements that some skilled employees might specifically seek out.  Your business is also established in a way that enables it to survive sudden challenges like the Coronavirus isolation rules we are currently living under and operate globally more easily.  Handling remote access to systems and protecting data doesn’t have to be an unacceptable risk if it’s understood and managed.

If you can manage simple risks automatically – you can focus on more complex ones

We know from past security incidents that they often don’t come from highly complex and targeted attacks, but from simpler causes or known problems that could have been anticipated or security “own goals”.

Look at the findings of the ICO fine of BA due to poor cyber security basics, or the WannaCry outbreak in the NHS and Maersk (amongst others) exploiting poor patching, or TalkTalk’s SQL injection hack.  Basic cyber hygiene – patching, website testing, anti-virus, staff awareness, good password policies – are key.

A fact that is reinforced by so many schemes from various governments that aim to bolster these basic defences.  Examples include Cyber Essentials and the NCSC Top 10 in the UK, Essential 8 in Australia, the cybersecurity health check scheme in the Netherlands and the defence-focussed CMMC standard for DoD supply chains in the US.

Yet still security teams spend a large amount of time firefighting these issues or reporting on the  progress in resolving them.  Sometimes the time spent reporting itself becomes a resource burden, inhibiting the ability to address the issues that need urgent remediation.

Getting these controls right and being able to trust  they are operating effectively, is fundamental.  By implementing systematic streamlined measurement and objective monitoring processes organisations not only benefit from  less exposure to risk, it frees up considerable amounts of time and resource to think about the more esoteric, complex or organisation-specific challenges that are faced.

It also means that there is less firefighting in the existing environment, and more availability to contribute positively to new business initiatives, technology transformations and projects.  Again, better management of risks.

If you have good, timely information on risks – you can make better decisions

There is no doubt that awareness of any challenge means you have a start point from which to work from.  There is an adage that says:

“You can’t manage what you can’t measure.”

Peter Drucker’s famous axiom simply means that it is difficult to make decisions regarding the management of something if the true status of it is unknown.  Is patching a problem?  Is patching a bigger problem than administrative privileges?  Where are patches a problem and where are they OK?

In security, the threats change all the time – new vulnerabilities on Thursday mean Tuesday’s efforts at patching systems are already obsolete.  If data on security risks is out of date by several weeks because that’s how long it takes to assess the state of a control, you are looking at data that represents the past, not the present, when making decisions about what to do and what to prioritise.  Worse, if that data is wrong, incomplete, subjective or inaccurate then your decisions could easily be wrong anyway.

Doing risk management well

So good risk management means good risk metrics; timely data about the environment and controls and priorities that are up to date and trustworthy.

Essential 8 Auditor – short video overview

However, security teams are stretched thin, so this accurate risk information needs to be generated directly from controls or automatically with minimal human effort.  Human effort means delays, subjectivity and processes that can’t scale. Automated cyber risk audits provide the ‘measure’ that is needed.