Cybersecurity Risk Management: A Complete Guide
What is Cybersecurity Risk Management? Cybersecurity risk management is a specialized practice that prioritizes defensive measures for cybersecurity...
8 min read
Rubens Perdomo : May 20, 2021 5:00:00 PM
Every modern business faces some form of IT risk. From the smallest “mom and pop” store to the largest multinational conglomerates, there are always threats to the confidentiality and integrity of the information the business needs in order to operate.
What is IT Risk? What are some examples of common IT risks? How can they hurt your business? More importantly, how can you protect your company from these risks?
An IT risk is anything that threatens the integrity, confidentiality, or availability of data collected, stored, or processed by an organization. IT risks can be subdivided into distinct categories based on factors like where they come from and how they impact data.
RELATED: DOES YOUR BUSINESS NEED TECHNOLOGY CONSULTING?
What are some common categories and examples of IT risks? While there are far too many possible risks to address them all here, some common types of IT risk include:
Malicious actors may try to breach a company’s cybersecurity to cause damage, steal information, or extort the business into giving them money. This category of IT risks involves things like malware, phishing attacks, distributed denial of service (DDoS) attacks, ransomware, and other external cybersecurity threats.
These threats can affect data in different ways depending on the type of attack. For example, ransomware makes the data on a company’s network unreadable—preventing it from being used. Meanwhile, advanced persistent threats (APTs) attempt to stealthily steal data and funnel it to cyber criminals—which breaches the confidentiality of that information.
Sometimes, the worst IT risks aren’t the result of malicious intent. Instead, they arise from insufficient planning and preparation of the IT environment. IT vulnerabilities are passive threats to a network and its data that increase the risk of something going wrong.
For example, there’s a concept in IT called the “single point of failure.” This is a system or component that, if it fails, renders some process unusable or prevents important data from being accessed. An example of a single point of failure would be something like if a company was using a single network router or load balancer to handle all of their network traffic. If that router/load balancer fails, then their network would become inaccessible.
Another example of an IT vulnerability would be an IT asset that isn’t up to date with its security patching. As new cyber threats emerge that exploit known flaws in different types of software or hardware, the original developers/manufacturers of those assets create security patches to address those flaws. Assets with outdated security patches could be more vulnerable to attack—making it easier for malicious actors to breach security.
Everyone makes mistakes sometimes. However, human error can have a devastating impact on the integrity of data for a business. For example, if an employee accidentally deletes an important financial data table, that could impact the company’s ability to pay bills or collect on money owed.
Human error can also negatively impact the confidentiality of data. For example, say that an employee meant to send a direct email with sensitive information to their boss, Brad McPherson. However, they send it to a personal email instead of sending it to their boss’ business email and misspell the name as Brad.MacPherson@email.com. Unfortunately, there just so happens to be a person with that email address—and now they have sensitive company information.
Random catastrophic events can negatively impact a business’ network or the infrastructure it needs to operate. For example, an earthquake could strike the region a company’s data center is in—damaging the data center and the fiber optic cabling connecting it to the internet. Floods from hurricanes can cause power and network outages over huge areas.
These catastrophic events can affect both the integrity and availability of data for a prolonged period of time.
To protect a company’s data against these and other IT risks, it’s important to engage in IT risk management best practices.
IT risk management is a subset of risk management that specifically addresses threats to the availability, integrity, and confidentiality of an organization’s data.
Because of the variety of risks that a business’ technology infrastructure might face, IT risk management may need to encompass a large number of different activities.
RELATED: DATA BREACHES ARE INCREASING THE NEED FOR CYBER LIABILITY INSURANCE
IT risk management is a process with many distinct steps. The steps to protecting your company from its biggest IT risks are:
Before you can create a plan for addressing the specific IT risks facing your organization, it’s important to know what your risks are in the first place. This means conducting an IT risk analysis.
In a basic IT risk analysis, the organization creates a comprehensive map of all the IT assets it uses or has present on its network—everything from the printers to employee computers, smartphones, and even the “smart” coffee maker in the employee breakroom.
After creating an IT asset map, the organization then tries to identify and categorize the risks faced by their network. Risks can be categorized as known, unknown, and unknowable.
In IT risk assessment planning, “unknowable” risks are usually addressed via brainstorming sessions. Here, employees can come up with improbable situations that could affect the network and how those situations could be resolved.
ISO 27001 sets risk assessments as a basic compliance standard. To meet ISO 27001 requirements, an IT risk assessment needs to set and maintain specific risk criteria, produce consistent results, reliably identify factors that can lead to loss of data confidentiality, integrity, or availability, and identify the owners of those risks.
What’s an IT risk assessment’s goal or objective? To help the organization prioritize the greatest risks that it can fix in the shortest time.
Some key criteria to consider when assessing IT risks include:
This information can be crucial for prioritizing which risks get addressed first. Normally, a company would want to focus on the most likely risks with the highest impact and lowest cost to address.
For example, let’s say that there’s an unpatched customer-facing app that had a flaw that would easily allow cybercriminals to steal sensitive information. However, it could be fixed by simply downloading and applying the latest security patch (a process that takes only a couple of minutes). Odds are that this should be a high-priority IT risk to address since it's very likely to result in severe damage but would not require much to prevent.
Once the specific IT risks the company faces and which ones are the most important to fix have been established, it’s time to establish a plan for addressing those risks. This can begin with a kind of gap analysis for each IT risk and the solution to it—simply consider the desired future state (risk eliminated or minimized) and the current state (why the risk exists).
Assemble a list of IT risks by priority and the resources or actions needed to address each one. Create an estimate of the cost of fixing everything and determine if that falls within the IT budget. If it does, IT team members can be assigned to the task of implementing fixes almost immediately. If not, then it’s time to pick and choose which items will be fixed first until more budget can be set aside for fixes (or to go to the Board and investors and try to get more funding approved).
It’s important to know which risks can be prevented entirely and which ones can only be mitigated—then apply the most efficient strategy for addressing each risk. For risk mitigation, it can help to consider solutions like risk-specific insurance to minimize its impact or to create backup systems to take over in the case of a catastrophic IT failure.
In the planning document, it’s important to create lists of all resources needed and how they should be used, create a realistic timeline of planned events, and assign roles and responsibilities to ensure accountability.
Who in the organization will be responsible for which parts of the IT risk management process? Not just during the initial effort to resolve IT risks, but for the foreseeable future as the risk management plan continues?
Assigning roles and responsibilities helps to create accountability for every part of the risk management plan. This way, if something needs to be done to keep the plan on track, leadership knows whom to go to—especially if important plan milestones are missed.
Brainstorm some absolute worst-case scenarios about events that would completely wipe out the company’s IT assets, data, and systems. What would happen if everything simply evaporated tomorrow?
While this kind of thing would normally be an “unknowable” risk, it can help to create a couple of doomsday scenarios and establish plans for dealing with them. For example, could the company afford to establish and maintain a secondary data center that would take over if the primary one gets hit by a natural disaster?
Or, what would the company do if there was a massive data breach that resulted in every single piece of sensitive data being stolen by cybercriminals? How would the company notify customers, prevent the theft of corporate resources, and protect against future fraud that leverages the stolen data?
Merely having a plan for what to do in such worst-case scenarios can be very useful for minimizing their impact—since there will already be a contingency plan in place that the business can use.
IT risk management isn’t a “one and done” process. It’s an iterative process that will require constant refinement as new risks are discovered. So, the final step of the plan is to periodically repeat it as needed to spot new risks early and fix them—hopefully before they can cause damage!
RELATED: CYBERSECURITY RISK MANAGEMENT: A COMPLETE GUIDE
Here’s a quick outline of a simple IT risk management plan template based on a template from the Centers for Disease Control (CDC):
A small introductory page that explains the plan and its goals.
A section detailing what roles exist within the IT risk management plan and who is responsible for specific plan activities.
High Probability |
|
|
|
Medium Probability |
|
|
|
Low Probability |
|
|
|
|
Low Impact |
Medium Impact |
High Impact |
Risks that fall within the yellow squares should be addressed as soon as is practical. Risks in the red squares should be addressed immediately. Risks in the green squares should be addressed after all yellow and red risks have been addressed.
A document outlining plans to deal with the high-impact and/or high-probability risks identified during the assessment. Depending on the nature of the risk and the availability of resources, plans should be drawn to avoid, mitigate, or accept the risk—or transfer it to another organization (such as by using insurance or outsourced IT services).
This section tracks the status of different risks as the organization deals with them. This section should continuously update as new risks are prioritized.
When IT changes are planned, their potential risks should be documented and added to the IT risk management plan.
A section for tracking various tools, policies, and procedures used to identify and address IT risks. This section could also be used to maintain a project risk log that IT team leaders can address during IT team meetings.
Reach out to Systems X today to get started! We’re here to help you get more out of your IT investments while helping you protect your business from IT risk!
What is Cybersecurity Risk Management? Cybersecurity risk management is a specialized practice that prioritizes defensive measures for cybersecurity...
If you’ve been researching how to meet certain compliance standards, you may have come across the acronym “POA&M” a few times by now. Or, this may be...
Every business today relies on technology and information for every business process. Regardless of industry, tech drives business results. However,...