The starting point of every cyber risks management is to define the scope and to understand what kind of risks can be defined “cyber”. Normally there is a direct link with cybersecurity but the definition of cybersecurity is not always clear: is it the new way to define information security? Or is just the part of the information security dealing with potential attacks?
I have my own definition: “cybersecurity is the protection against adversarial threats coming from outside the company perimeter”. If we consider this definition, the cyber risks are related to adversarial events and the threats are coming from outside the company: this can help to clearly define what “cyber” is and what is not.
There can be different definitions of cybersecurity, but independently of what is the definition adopted by your company, it is important to have a clear scope for your cyber risks management and avoid to consider every It risk as cyber.
Once the scope is clear, the next step is to identify the company perimeter, potentially affected by threats and vulnerabilities, related to cyber risks events. This seems to be an easy task, but in the recent years the perimeter to defend is more and more virtualized due to the increasing outsourcing of applications and services, and the growing possibility of remote working with mobile devices, in some cases also with personal devices.
If this brings a lot of advantages (especially costs reductions) for the companies, on the other side it also introduces new threats and risks, especially cyber, linked to this perimeter virtualization. So it is fundamental to understand what you will need to protect and where are the potential weaknesses that can be exploited by an attacker. Failure to do so will soon or late bring an attack on some unprotected items, with potential negative impacts that have never been considered.
The following key point is to know the threats and vulnerabilities you will need to worry about; this is mandatory when you define your cyber risks taxonomy, identifying events and scenarios related to the specific threats. This is also important because threats and vulnerabilities are continuously evolving and it’s not always easy to stay updated and to know what is applicable to your company and what is not. In the Cyber Risks calculation, this is also fundamental when you have to define the probability of happening of the cyber risk events.
Due to the immense volume of information related to vulnerabilities and threats evolution, it’s highly recommended to consider some intelligence platform or services that can adequately deal with multiple information providers and help in filtering only the high value information. This will help at several levels (strategical, tactical and operational) in the threat intelligence, the incident analysis and response, and the vulnerability management, consequently reducing the cyber risks level.
If, from one side, the technology is one of the pillars supporting an efficient cyber risks management, on the other side the human factor can never be forgotten.
The new technologies will help in big data management, correlation of events, incident severity determination, scenarios analysis, etc, also with the introduction of artificial intelligence and machine learning platforms. It will be impossible to deal with cybersecurity and cyber risks without some good security solutions and platforms, nevertheless the human factor is still the key element between a successful and a failing cyber risk management.
People should be considered from two separate points of view: the users and the technical staff.
Users are very often “the weak ring of the chain” and if there is no awareness of the minimum security practices, there is a good probability that this will lead to some cybersecurity incidents. Phishing, Ransomware, frauds etc., are often caused by an unaware user and it’s very difficult to protect the company against bad behaviours.
How do we deal with that? Awareness is the key: specific cybersecurity awareness campaigns will often mitigate the related cyber risks if considered not as a one-shot event but defined in a programme with broad scope and cyclic updates.
The security technical staff is the other side of the coin and it’s the key element to deal with the cyber threats and vulnerabilities, minimizing the probability that a cyber negative event could be successful. The problem in this case is that, according with ISACA, in the top five cybersecurity challenges of the next future, there is cybersecurity personnel shortage, in numbers and in skills.
Often, in the security teams, there are not enough personnel and you can’t always find the appropriate skills. Here the solution should be considered in a strategic program, investing in people and skill acquisition, with strong training and certification programs. Other solutions can be considered, e.g. the outsourcing of some activities, but it is important to have skilled cybersecurity experts to support your cyber risks management activity.
This will probably not prevent any possible cyber risk event, but it will greatly reduce the probability of occurrence of a negative event and the impact of the incident in case it takes place.