Cybersecurity lapses continue to make headlines and undermine the fiscal health and reputation of the targeted organizations. Executives are under constant pressure to accommodate all the demands made on them.
Providing a little leadership on cybersecurity doesn’t fit well on the to-do list. Meetings with IT specialists often frustrate executives for one or more of the following reasons:
- Overloaded with detail and analysis.
- Long winded presentations.
- Overstated risks.
- Short on actionable recommendations.
- Complex, long-running implementation plans.
- Expensive spending recommendations.
Executives can replace these excruciatingly ineffective meetings with this simple formula for understanding and then reducing the risk of cybersecurity incidents.
Cybersecurity risk = Threats x Vulnerabilities
Executives can use this generic formula to assess many risks to business continuity. Here we’ll apply it to focus the cybersecurity risk discussion with IT specialists. Using this formula will first lead to clarity about the nature of the cybersecurity risks the organization is facing. Clarity can then lead to targeted actions that are expeditiously and cost-effectively reduce cybersecurity risk.
First, start by listing cybersecurity threats to your organization and the surrounding environment. Example threat assessment questions include:
- Do you sell products that organized crime finds easy or lucrative to resell? This threat increases the risk of attackers hijacking your shipments and using fake customers to fraudulently purchase your products.
- Do you own intellectual property or store private information that attackers can resell easily? Typical examples include proprietary designs or processes and personal information including credit card numbers and social insurance numbers. This threat increases the risk of attacks that cause data breaches.
- Do you have low employee morale or high turnover? This threat increases the risk of insider attacks to steal products or embarrass your organization publicly.
- Does your organization own a widely recognized brand that is prone to attacks from script kiddies or unsophisticated attackers that are motivated by vandalism and social media reputation? This threat increases the risk of damage to your data.
- Does the existence of your organization annoy some nation states or terrorist organizations? This threat increases the risk of attacks that interfere with your business continuity.
- Are you experiencing high turnover in your IS department? This turnover threat creates risk of loss of organizational knowledge.
- Are your operations at risk of being disrupted by attacks against others such as the electrical utility, important suppliers or neighboring organizations? These threats can cause collateral damage to your balance sheet.
Consider involving your staff in gathering threat information through a short survey. Involving more people in the threat assessment always adds to its comprehensiveness.
Second, list cybersecurity vulnerabilities in your organization that attackers can exploit to gain access much more easily. Example vulnerability assessment questions include:
- Do you have unpatched operating systems on workstations and servers? Attackers almost always use these vulnerable computers to gain access.
- Do some of your employees have access to too many active accounts with excessive system access privileges? Attackers can greatly multiply their destructive impact when they hijack these vulnerable accounts.
- Have you experienced puzzling outages of your computer systems? Outages are often indicators of inadequate management of your computing infrastructure. Poor management creates vulnerabilities that increase the likelihood of successful attacks.
- Do you have gaps in the physical access controls at your facilities? Gaps make your organization more vulnerable to attackers seeking physical access to your computer systems.
- Is the elapsed time between the announcement of a patch for a critical or high-rated software vulnerability and when your organization remediates the vulnerability acceptable to you? The longer the length of this window of opportunity, the more vulnerable your organization is to a successful attack.
- Do you conduct vulnerability scans, attack and penetration tests with reasonable frequency? If not, you are more vulnerable to successful attacks.
Third, based on the findings of the threat and vulnerability assessments, create an action plan that addresses higher likelihood threats and higher impact vulnerabilities. Actions typically fall into one or more of the following three categories:
- Remove vulnerabilities by taking remedial steps such as updating operating systems.
- Mitigate vulnerabilities by making process improvements such as monitoring logs more carefully.
- Share vulnerabilities by buying risk insurance.
Using this three-step process can materially reduce the risk of cybersecurity incidents adversely impacting the future of your organization. Click here for more detail on how to perform a comprehensive threat and vulnerability assessment.
What do you think are cost-effective ways to reduce the risk of cybersecurity incidents at your organization?