Managing cyber security risks  

It’s well understood that to succeed, you need to take risks.

What risks you take and which you decide not to depends on your understanding of the facts available to you.  

Weighing up the potential rewards against what could go wrong and taking decisions like this is risk management.

Cyber security is no different.

Effective risk management in cyber security means understanding the risks facing your business.  

Preparing to make hard choices, like where you want to prioritise your investment to minimise the most damaging things happening, will help you keep your business safe.

Even the largest organisations with big security budgets have to carefully consider where they focus their resources.  

The ingredients to effective cyber risk management are: 

• Knowing your business and what is most important to its operations. 
• Understanding what cyber threats could impact your business and how this is most likely to happen. 
• Preparing security controls and measures that will help you reduce risks most efficiently. 

Factor in cyber security from the get-go 

In most cases, retrofitting security implementations to an existing technology or a business process is the most expensive and challenging way to do it.

Factoring security in early can help you manage cyber risks almost by default, with lower or no costs, meaning you free up precious resources to use them elsewhere. 

A good example is choosing a new cloud service for your business.

If you ensure the service has the ability to enable 2-Factor-Authentication, you turn it on from the get-go and ideally integrate directly with your business’s identity and access management platform. Then you can be assured the data within the service and the way your employees access it has a good level of protection from the outset. 

Equally, when managing access to business-critical data or systems, it’s much easier to grant than take it away.

Applying the concept of “least privilege” whenever you rollout a new service, where employees only have access to the data and systems they need to do their jobs means you are building in segregation which will make life much harder for potential attackers. 

When implementing new technology or a new process, take the time to think about the most secure way of doing so and focus on areas where you can introduce security without increasing costs or degrading the usability.

Where you might have to spend more or add an extra security step, you can apply cyber security risk-management principles to decide whether it’s worth it or not.  

Understand cyber security risk and its effects 

All organisations have things of greater value. Often, this will be business services or technology, data, or key processes, and it can even be physical property, such as office spaces or specialist equipment.

If your business could not offer its services or take payments, this would have a big impact on revenue and even threaten business viability. 

Although most businesses have a clear view on what they do and how they do it, many have not worked through how they could be threatened or disrupted.  

When understanding cyber risk and how to manage it, you need to ask yourself what could happen because of a cyber attack? What would be the financial, reputational, and practical implications, if any of your most important assets were stolen or unavailable? 

A worthwhile exercise for organisations large and small is to gather key people together and talk through relevant cyber security scenarios and their potential impacts, including the most severe but plausible scenarios.

This way you get lots of different perspectives, reduce the chance you’ll miss something critical, and will strengthen your risk management choices, focusing on what is most important. 

The UK National Cyber Security Centre has a great resource called Exercise in a Box, which can help you exercise many of the main cyber security scenarios your business could face. 

Know what you have  

There is a saying in the cyber security industry that “you need to know what you have before you know what you need to protect”.

Modern organisations have a lot of ‘stuff’, whether that is data, IT systems, or software services, sorting what really matters from everything else can be quite a task.  

The most reliable way to do this is by creating an inventory, sometimes called an asset register, where you can collate your assets of all different types in one place. There are dedicated asset register tools available but even a spreadsheet is a good way to do this.  

You can use an asset register to identify dependencies between different things (e.g. important customer data in a specific database, stored on a particular server) and also what is most critical to the operation of your organisation.  

It acts as a single source of truth and is invaluable for risk management, working out where you need your most reliable security controls but also as an important reference point if a cyber incident occurs. 

Understanding threats to your business  

In our blog on threats, we explain the most common cyber threats to most organisations. Using this and other resources you can consider what specific threats are most relevant to you.  

For almost all organisations, the primary threat is of cyber criminals using common techniques such as phishing, malware, and software vulnerabilities to steal money, data, commit extortion—or all three.  

In recent years, ransomware attacks have become easily the most prevalent cyber threat globally. Cyber attacks can also be highly targeted or completely indiscriminate and it is safest to plan for both. 

Important questions to ask about threats to your business are: 

• What does my business do or have which could be easily monetised by a cyber criminal, i.e. holding sensitive data which could be sold, running financial transactions or payments which could be exploited, or offering services to other organisations which could be disrupted? 
• What would a cyber criminal deduce about our organisation from the outside? This could be how you advertise your services, what your employees say on LinkedIn or other social media apps, or what sector you operate in. 
• Where are we most obviously vulnerable? Perhaps you have a big online footprint, or business systems connected to the internet—all of these things have the potential to be  found and exploited by cyber criminals. 

Once you have decided what your most likely threat scenarios are, you can use this to inform your risk management approach, but also to communicate in a more tangible way with people in your organisation.  

For example, give employees real-world examples like:  

Asset 

“Our most valuable business asset is our CRM database.”  

Problem 

“These are routinely targeted by ransomware gangs, who use phishing techniques to get in, steal the data, and then extort victims with it.”  

Consequence 

“If this were to happen to us, we could quickly lose the confidence of our customers and face severe legal and financial consequences.”  

This is a much more powerful way of bringing people with you than just using generic language about cyber security. 

What bits need extra protection 

By far the most effective thing any organisation can do is put in place general cyber security controls such as 2-Factor Authentication, anti-virus or anti-malware, regular patching, and security training for employees.

But how can this be topped up for those critical areas of your business which your risk management discussions have identified?  

Firstly, you should investigate whether there are any opportunities to improve security without introducing a new tool or spending much more money. In particular, many technology services will be configurable so they are less permissive (i.e. more controls around access), or log or alert activity which is unusual.

Depending on the technology this might be easy to configure, or you might need to contact the vendor for support.  

Security monitoring can be expensive and time consuming but is much easier if you focus on 1 or only a handful of systems—if you have a person or team responsible for IT then they are probably best placed to do this. 

If you feel like you might need to buy a specialist security tool but don’t have the expertise within the organisation to advise which one or how to implement it, then you can hire external support to help.  

There are so many different tools available and so much hype around them, having an objective and experienced cyber security expert is the best way to ensure you only buy what you actually need, get the most from it, and are able to support and operate it in the longer term. 

Third parties and supply chain security  

Supply chains are a key area of cyber risk for most organisations, especially where critical services have been outsourced or sensitive data shared.

It is also increasingly common for cyber criminals to use supply chains as a way of getting to their real target.  

There is no silver bullet for supply chain security and it is very difficult to really know whether a supplier has adequate security or not.

Choosing the right suppliers can really increase your security, especially if you rely on larger companies who have invested heavily in cyber security and back it up with recognised industry certifications.  

In summary, there are four key things you can do to manage risks: 

• Understand the specific risks posed by a supplier, based on the potential impact to your operations from an incident. Seek the highest standards from those suppliers who are, in effect, an extension of your own business. 

• Review contractual commitments carefully. For example, is the supplier obliged to inform you if they suffer an incident? How quickly should they do so? 
• Look for industry certifications such as Cyber Essentials, ISO27001 or SOC2, which indicate a supplier take security seriously and has undergone a form of independent validation of their controls.  
• Make sure you do your bit in how you onboard a supplier. This could be configuring software using the supplier’s best practice guide, enabling 2-Factor Authentication, and managing your own employees’ access properly. 

Final thoughts 

Cyber security risk-management is about: 

• Knowing your business and what is most important to its operations. 
• Understanding what cyber threats could impact your business and how this is most likely to happen. 
• Implementing security controls and measures that will help you reduce risks most efficiently, especially opportunities to factor security in early. 

Getting a risk management plan in place will help you feel confident in how to manage cyber security risks in your business, before they happen.