Cyber Security Risk Management means identifying, analyzing, evaluating, and addressing your organization’s cyber security threats.
Types of Cybersecurity Risks & How to Prevent Them
There’s no getting around the fact that cybersecurity is a real problem facing anyone with a device. Individual, business, organization, it doesn’t matter. With the widespread use of technology and its reliance on connectivity, it’s a prime market for malware. Since the inception of the internet, all sorts of security risks have come and gone. Their severity ranges from a minor nuisance to devastating, and you can be sure malicious attacks will remain so long as the net does. But, as scary as it sounds, there are plenty of common types of security risks that are both identifiable and preventable. In this article, we’re going to put the magnifying glass on the types of security risks and attacks facing people today, along with methods to stop them.
We’ll start with the most prolific and common form of security threat: malware. It’s been around since the internet’s inception and continues to remain a consistent problem. Malware is when an unwanted piece of programming or software installs itself on a target system, causing unusual behavior. This ranges from denying access to programs, deleting files, stealing information, and spreading itself to other systems.
Prevention: A proactive approach is the best defense. Common sense dictates users and organizations should have the latest anti-malware programs installed, for starters. It’s also important to recognize suspicious links, files, or websites, which are effective ways of implementing malware. Often, a combination of caution and anti-virus is enough to thwart most malware concerns.
“I’ve been hacked!” A common conclusion is when you log in to an account, only to find your password changed and details lost. The reality is an unwanted third party managed to steal or guess your password and has since run amok with the information. It’s far worse for an enterprise, which may lose sensitive data.
Prevention: There are several reasons for losing a password. Attackers may guess the password or use “brute force” programs to cycle through thousands of potential attempts. They may also steal it from an unsafe location or use social engineering to trick a user into giving it away. Two-factor authentication is a robust protection method, as it requires an additional device to complete the login. Additionally, using complicated logins thwarts brute force attempts.
Also known as “eavesdropping,” traffic interception occurs when a third party “listens” to info sent between a user and host. The kind of information stolen varies based on traffic but is often used to take log-ins or valuable data.
Prevention: Avoiding compromised websites (such as those not using HTML5) is an excellent proactive defense. Encrypting network traffic – such as through a VPN – is another preventive method.
Phishing scams are an older attack method and rely on social engineering to achieve their goal. Typically, an end user receives a message or email which requests sensitive data, such as a password. Sometimes, the phishing message appears official, using legitimate appearing addresses and media. This compels an individual to click on links and accidentally give away sensitive information.
Prevention: Generally, a common-sense approach to security is the best prevention. Phishing messages are often rife with spelling and syntax errors. Official emails from organizations do not request personal data, so this is a giveaway that there is malicious intent.
Distributed Denial of Service is an attack method in which malicious parties target servers and overload them with user traffic. When a server cannot handle incoming requests, the website it hosts shuts down or slows to unusable performance.
Prevention: Stopping a DDoS requires identifying malicious traffic and halting access. This can take time depending on how many malicious IPs are used to distribute the attack. In most cases, servers need to be taken offline for maintenance.
Cross Site Attack
Referred to as an XSS attack. In this instance, a third party will target a vulnerable website, typically one lacking encryption. Once targeted the dangerous code loads onto the site. When a regular user accesses said website, that payload is delivered either to their system or browser, causing the unwanted behavior. The goal is to either disrupt standard services or steal user information.
Prevention: Encryption is usually required on the host’s side. Additionally, providing the option to turn off page scripts is vital to thwart a malicious payload from activating. Users can also install script-blocker add-ons to their browsers if they prefer additional browsing control.
Occurring after the discovery of a “zero-day vulnerability,” an exploit is a targeted attack against a system, network, or software. This attack takes advantage of an overlooked security problem, looking to cause unusual behavior, damage data, and steal information.
Prevention: Stopping exploits is challenging, as it relies on the vendor both discovering the loophole and releasing a fix for it. In some cases, a zero-day vulnerability can exist for an extended period before it’s discovered. Users must maintain good safety habits until a fix is released.
An SQL attack is essentially data manipulation, implemented to access information that isn’t meant to be available. Essentially, malicious third parties manipulate SQL “queries” (the typical string of code requests sent to a service or server) to retrieve sensitive info.
Prevention: Implementation of smart firewalls is one prevention method; application firewalls can detect and filter out unwanted requests. Generally, the most effective way is to develop code that identifies illegal user inputs.
Similar to phishing, social engineering is the umbrella method for attempting to deceive users into giving away sensitive details. This can occur on any platform, and malicious parties will often go to great lengths to accomplish their goals, such as utilizing social media info.
Prevention: Remaining skeptical of suspicious messages, friend requests, emails, or attempts to collect user info from unknown third parties.
A Man-in-the-Middle attack occurs when a third party hijacks a session between a client and host. The hacker generally cloaks itself with a spoofed IP address, disconnects the client, and requests information from the client. For example, attempting to log in to a bank session would allow a MITM attack to hijack user info related to their bank account.
Prevention: Encryption and use of HTML5 are recommended.
A nasty variant of malware, ransomware installs itself on a user system or network. Once installed, it prevents access to functionalities (in part or whole) until a “ransom” is paid to third parties.
Prevention: Removal is challenging once installed. Keeping anti-virus updated and avoiding malicious links are the best current prevention methods. Also, current backups and replications are key to keeping ransomware attacks from becoming catastrophic.
Crypto jacking is an attempt to install malware that forces the infected system to perform “crypto-mining,” a popular form of gaining cryptocurrency. This, like other viruses, can infect unprotected systems. It is deployed because the act of crypto-mining is hardware intensive.
Prevention: Keep all security apps/software updated and make sure firmware on smart devices is also using the latest version. Crypto jacking can infect most unprotected systems.
Water Hole Attack
Generally used to target organizations, water hole attacks occur when a group infects websites a particular organization frequently uses. The goal – much like a cross-site attack – is to load a malicious payload from the infected sites.
Prevention: Anti-virus can passively identify dangerous scripts. Keep website scripts off as a default if your enterprise suspects an infection.
In a drive-by-attack, malicious code is delivered onto a system or device. The distinction, however, is that no action is needed on the user end, where typically they need to click a link or download an executable.
Prevention: Avoid suspicious websites. Normally, compromised websites are flagged by search engines and anti-malware programs.
Trojan malware attempts to deliver its payload by disguising itself as legitimate software. One technique used was an “alert” a user’s system was compromised by malware, recommending a scan, whereby the scan delivered the malware.
Prevention: Avoid downloading programs or executable from unrecognized vendors or those that attempt to alarm the user to a serious problem.
Cyber security risk management process
- Identify the risks that might compromise your cyber security. This usually involves identifying cyber security vulnerabilities in your system and the threats that might exploit them.
- Analyze the severity of each risk by assessing how likely it is to occur and how significant the impact might be if it does.
- Evaluate how each risk fits within your risk appetite (your predetermined level of acceptable risk).
- Prioritize the risks.
- Decide how to respond to each risk. There are generally four options:
- Treat – modify the risk’s likelihood and/or impact typically by implementing security controls.
- Tolerate – make an active decision to retain the risk (e.g., it falls within the established risk acceptance criteria).
- Terminate – avoid the risk entirely by ending or completely changing the activity causing the risk.
- Transfer – share the risk with another party, usually by outsourcing or taking out insurance.
Since cyber risk management is a continual process, monitor your risks to ensure they are still acceptable, review your controls to ensure they are still fit for purpose, and make changes as required. Remember that your risks continually change as the cyber threat landscape evolves, and your systems and activities change.
Importance of Risk Management
Risk management is an important process because it empowers a business with the necessary tools so that it can adequately identify and deal with potential risks. Once a risk has been identified, it is then easy to mitigate it. In addition, risk management provides a business with a basis upon which it can undertake sound decision-making.
For a business, assessment and management of risks are the best way to prepare for eventualities that may come in the way of progress and growth. When a business evaluates its plan for handling potential threats and then develops structures to address them, it improves its odds of becoming a successful entity.
In addition, progressive risk management ensures risks of high priority are dealt with as aggressively as possible. Moreover, the management will have the necessary information that they can use to make informed decisions and ensure that the business remains profitable.
Identify existing risks
Risk identification mainly involves brainstorming. A business gathers its employees together so that they can review all the various sources of risk. The next step is to arrange all the identified risks in order of priority. Because it is not possible to mitigate all existing risks, prioritization ensures that those risks that can affect a business significantly are dealt with more urgently.
Assess the risks
In many cases, problem resolution involves identifying the problem and then finding an appropriate solution. However, before figuring out how best to handle risks, a business should locate the cause of the risks by asking the question, “What caused such a risk and how could it influence the business?
Develop an appropriate response
Once a business entity is set on assessing likely remedies to mitigate identified risks and prevent their recurrence, it needs to ask the following questions: What measures can be taken to prevent the identified risk from recurring? In addition, what is the best thing to do if it does recur?
Develop preventive mechanisms for identified risks
Here, the ideas that were found to be useful in mitigating risks are developed into several tasks and then into contingency plans that can be deployed in the future. If risks occur, the plans can be put into action.
Reasons Risk Management Matters for All Employees
Risk managers know the purpose of their role and the value they bring to any organization. However, other employees may not understand what the risk department does or the widespread benefits of their strategy and actions. In many cases, they might be unable to accurately define risk management! This creates a problem. It’s harder for risk managers to get the buy-in to implement mitigation procedures when risk management isn’t common knowledge. To illustrate the importance of risk, here are 10 reasons all employees should care about risk management. We encourage you to share this with your team!
Everyone has to manage risk every organization faces risks. As most business people know well, sometimes the risk is inevitable to achieve success. Despite this, risk management is sometimes seen as “the department of no” — those who deny any project plan that seems to have any potential risk. This is the opposite of the truth. The purpose of risk management is not to eliminate all risks. It is to minimize the potential negative consequence of risks. By working with risk managers, employees can make smart risk decisions to improve the chance of reward.
Risk management makes jobs safer
Health and safety are critical parts of a risk manager’s role. They actively seek out problem areas in the organization and look to address them. They use data analysis to identify loss and injury trends and implement strategies to prevent them from reoccurring. This benefits employees in physical work environments, such as construction, but can also help office employees and those in similar positions through methods such as ergonomics. A safer workplace is better for everyone and is dramatically impacted by risk management.
Risk management enables project success
No matter the department, risk managers can help employees succeed with their projects. Just as they assess risks and develop strategies to maximize organizational success, they can do the same for individual projects. Employees can reduce the likelihood and severity of potential project risks by identifying them early. If something does go wrong, there will already be an action plan in place to handle it. This helps employees prepare for the unexpected and maximize project outcomes.
Risk management reduces unexpected events
Most people don’t like surprises, especially when it has an organizational impact A risk manager’s goal is to map out all potential risks and then work to prevent them or best manage them. It’s impossible to think of every possible risk scenario and address them all, but a risk manager makes unpleasant surprises less likely and more severe. The risk manager or the risk management department should be the first place an employee turns to when it seems like something serious could go wrong. there’s a good chance a plan is already in place for it.
Risk management creates financial benefits
The risk department should not be viewed as a cost center for the organization. It directly creates value. With trend analysis, risk managers can spot high-frequency events and work to minimize repetitive losses. Incidents will be less likely to occur and have less of an impact when they do, potentially saving the organization thousands if not millions of dollars. Risk managers are also the experts who procure the appropriate levels of insurance to maximize the financial impact of the risk management program.
Risk management saves time and effort
Employees at all levels spend time submitting data to the risk management department when incidents occur. These tasks are often completed in disjointed and inefficient ways. By streamlining these tasks, the risk department can alleviate the burden of tedious data submission from employees, allowing them to direct time and energy toward their true roles. With a solid process in place, it is easy for employees to buy into high ROI risk management initiatives and facilitate risk managers’ roles and reap the benefits of a formal risk management program.
Risk management improves communication
Horizontal and vertical communication is essential for organizational and employee well-being. They promote understanding of internal and external issues and help everyone work together effectively. While many employees know this, it can be difficult to put into practice if some parties don’t understand the impact it can have. Risk managers can help. They aid horizontal communication by providing a centralized touch point for all risk data and providing reports and analysis. Risk managers promote vertical communication by setting expectations and relating data to organizational goals. Each additional method of communication benefits employees.
Risk management prevents reputational issues
Many risks involve a reputation factor: something happens that causes the public to negatively view the organization. Reputational issues could impact individual employees as well, even if they weren’t involved. A formal risk department greatly decreases the likelihood of this fallout. When an incident inevitably occurs, a formal risk management program and processes will quickly contain the event and lower the chance of escalation and widespread negative consequences.
Risk management benefits the culture
A strong risk management culture is better for all parties: frontline employees, risk managers, executives, and decision-makers. It creates a mindset of prevention and safety that permeates the organization and influences the actions of employees. It sets expectations of performance and sends a positive image to the public.
Risk management guides decision-making
Decision-making is a challenging process, especially when making significant choices that will have a large impact on future success. Risk management data and analytics can guide employees in making wise strategic decisions that will help meet and exceed company objectives. They can also advise on the strengths and weaknesses of a decision alternative and provide recommendations on what risks to pursue and which to avoid. The risk department is an excellent source of guidance for employees in all areas.
Steps to perform a cybersecurity risk assessment
Practically every organization has internet connectivity and some form of IT infrastructure, which means nearly all organizations are at risk of a cyber-attack. To understand how great this risk is and to be able to manage it, organizations need to complete a cybersecurity risk assessment, a process that identifies which assets are most vulnerable to the cyber risks the organization faces.
This is a risk assessment that looks specifically at cyber threats, so risks such as fire and flooding which would be included in a general risk assessment are not in scope. Mitigating the risks identified during the assessment will prevent and reduce costly security incidents and data breaches and avoid regulatory and compliance issues. The risk assessment process also obliges everyone within an organization to consider how cybersecurity risks can impact the organization’s objectives, which helps to create a more risk-aware culture. So, what is at the heart of a cybersecurity risk assessment?
What does a cybersecurity risk assessment entail?
A cybersecurity risk assessment requires an organization to determine its key business objectives and identify the information technology assets that are essential to realizing those objectives. It’s then a case of identifying cyber-attacks that could adversely affect those assets, deciding on the likelihood of those attacks occurring, and the impact they may have; in sum, building a complete picture of the threat environment for particular business objectives. This allows stakeholders and security teams to make informed decisions about how and where to implement security controls to reduce the overall risk to one with which the organization is comfortable.
Step 1: Determine the scope of the risk assessment
A risk assessment starts by deciding what is in the scope of the assessment. It could be the entire organization, but this is usually too big an undertaking, so it is more likely to be a business unit, location, or a specific aspect of the business, such as payment processing or a web application. It is vital to have the full support of all stakeholders whose activities are within the scope of the assessment as their input will be essential to understanding which assets and processes are the most important, identifying risks, assessing impacts, and defining risk tolerance levels. A third party specializing in risk assessments may be needed to help them through what is a resource-intensive exercise.
Everyone involved should be familiar with the terminology used in a risk assessment such as likelihood and impact so that there is a common understanding of how the risk is framed. For those who are unfamiliar with cybersecurity concepts, which can help guide organizations on how to assess their information security risks in a structured manner and ensure mitigating controls are appropriate and effective.
However, avoid a compliance-oriented, checklist approach when undertaking an assessment, as simply fulfilling compliance requirements doesn’t necessarily mean an organization is not exposed to any risks
Step 2: How to identify cybersecurity risks
You can’t protect what you don’t know, so the next task is to identify and create an inventory of all physical and logical assets that are within the scope of the risk assessment. When identifying assets, it is important to not only establish those which are considered the organization’s crown jewels — assets critical to the business and probably the main target of attackers, but also assets attackers would want to take control over, such as an Active Directory server or picture archive and communications systems, to use as a pivot point to expand an attack. Creating a network architecture diagram from the asset inventory list is a great way to visualize the interconnectivity and communication paths between assets and processes as well as entry points into the network, making the next task of identifying threats easier.
Threats are the tactics, techniques, and methods used by threat actors that have the potential to cause harm to an organization’s assets. To help identify potential threats to each asset using a threat library like the knowledge Base and resources from the cyber threat alliance, which both provide high-quality, up-to-date cyber threat information. Security vendor reports and advisories from government agencies such as the cybersecurity & infrastructure security agency can be an excellent source of news on new threats surfacing in specific industries, verticals, and geographic regions, or particular technologies.
Identify what could go wrong
This task involves specifying the consequences of an identified threat exploiting a vulnerability to attack an in-scope asset. For example:
Threat: An attacker performs an SQL injection on an
Asset: a web server
Consequence: customers’ private data is stolen, resulting in regulatory fines and damage to reputation.
Step 3: Analyze risks and determine the potential impact
Now it is time to determine the likelihood of the risk scenarios documented in Step 2 occurring, and the impact on the organization if it did happen. In a cybersecurity risk assessment, risk likelihood — the probability that a given threat is capable of exploiting a given vulnerability — should be determined based on the discoverability, exploitability, and reproducibility of threats and vulnerabilities rather than historical occurrences.
This is because the dynamic nature of cybersecurity threats means the likelihood is not so closely linked to the frequency of past occurrences like flooding and earthquakes for example. Impact refers to the magnitude of harm to the organization resulting from the consequences of a threat exploiting a vulnerability. The impact on confidentiality, integrity, and availability should be assessed in each scenario with the highest impact used as the final score. This aspect of the assessment is subjective, which is why input from stakeholders and security experts is so important. Taking the SQL injection above, the impact rating on confidentiality would probably be ranked as “Very Severe.”
Step 4: Determine and prioritize risks
Using a risk matrix like the one below where the risk level is “Likelihood times Impact,” each risk scenario can be classified. If the risk of a SQL injection attack were considered “Likely” or “Highly Likely” our example risk scenario would be classified as “Very High.”
Any scenario that is above the agreed-upon tolerance level should be prioritized for treatment to bring it within the organization’s risk tolerance level. There are three ways of doing this:
- Avoid. If the risk outweighs the benefits, discontinuing an activity may be the best course of action if it means no longer being exposed to it.
- Transfer. Share a portion of the risk with other parties through outsourcing certain operations to third parties such as DDoS mitigation, or purchasing cyber insurance. First-party coverage generally only covers the costs incurred due to a cyber-event such as informing customers about a data breach, while third-party coverage would cover the cost of funding a settlement after a data breach along with penalties and fines. What it will not cover are the intangible costs of loss of intellectual property or damage to brand reputation.
- Mitigate. Deploy security controls and other measures to reduce the Likelihood and/or Impact and therefore the risk level to within the agreed risk tolerance level. Responsibility for implementing the measures to reduce unacceptably high risks should be assigned to the appropriate team. Dates for progress and completion reports should also be set to ensure that the owner of the risk and the treatment plan is kept up to date.
However, no system or environment can be made 100% secure, so there is always some risk left over. This is called residual risk and must be formally accepted by senior stakeholders as part of the organization’s cyber security strategy.
Step 5: Document all risks
It’s important to document all identified risk scenarios in a risk register. This should be regularly reviewed and updated to ensure that management always has an up-to-date account of its cybersecurity risks. It should include:
- Risk scenario
- Identification data
- Existing security controls
- Current risk level
- Treatment plan — the planned activities and timeline to bring the risk within an acceptable risk tolerance level along with the commercial justification for the investment
- Progress status — the status of implementing the treatment plan
- Residual risk — the risk level after the treatment plan is implemented
- Risk owner — the individual or group responsible for ensuring that the residual risks remain within the tolerance level
A cybersecurity risk assessment is a large and ongoing undertaking, so time and resources need to be made available if it is going to improve the future security of the organization. It will need to be repeated as new cyber threats arise, and new systems or activities are introduced, but if done the well first time around it will provide a repeatable process and template for future assessments, whilst reducing the chances of a cyber-attack adversely affecting business objectives.