Four tips on cybersecurity risk assessments
It’s hard to know how much cybersecurity spending is enough to lower risk to an acceptable level. What is enough and what else is needed? A cybersecurity risk assessment (CRA) can help. Four tips are highlighted.
- A cybersecurity risk assessment (CRA) helps companies determine where they need to focus their efforts and improve company safety.
- Using resources judiciously and getting help from experts can help reduce and uncertainty during the CRA process.
A cybersecurity risk assessment (CRA) is a process in which an organization identifies, analyzes and evaluates the risks it may be exposed to in case of a cyberattack or data breach. Manufacturers and process facilities risk cybersecurity damages in revenue and reputation; cybersecurity risk assessments should be part of any organization’s risk management process.
Cybersecurity and related concerns continue to plague the business continuity objectives of enterprises. It can be considered mirroring that of safety requirements of organizations. Like safety, it’s hard to know how much cybersecurity spending is enough to lower risk to an acceptable level. How many upgrades, how many changes in architecture and how much training is enough?
To address such apprehensions, a cybersecurity risk assessment can be a big help. While there are numerous frameworks for a CRA, these steps can help those starting out.
1. Do not panic.
While businesses may not be aware, there is a high possibility of them being affected by a latent cyberattack even without their knowledge.
However, the last thing to do under such a circumstance is to panic. Adequate CRA systems will help one take the right decisions including on prioritizing the efforts to focus on and thereby making use of the required resources.
2. Making judicious use of resources:
Upon identifying the areas of prioritization, the next step is to optimally use resources. Towards this, one needs to formulate goals based on nature of business and its unique requirements. An ideal cybersecurity risk assessment framework calls for classifying the potential risks into levels as follows:
Basic level – This should include considerations for most basic and easy to prevent security risks
Intermediate level – This involves implementing risk preventions from most common attacks
Advanced level – It includes protection from all threats pointed in the organizations’ threat model
Continuous risk management – This takes care of continuously monitor the threat landscape and prevent as and when new risks are discovered
Apart from the above, other complementing steps include:
- Get rid of all low-hanging fruits – This ensures the best return on investment (ROI) as it is simpler to address without much requirement of resources. Low hangings fruits include items like security patches and update, malware protection, and authentication methods of publicly accessible resources and internal services, among others.
- Risks should be analyzed and normalized to reflect the “real” exposure to the organization and the overall industry. “Real,” which can be the default value of any vulnerability (CVE) you may have discovered, is usually either higher or lower.
- Investing in detection: It is imperative companies know the effectiveness and end results of the security measures deployed. The events and attacks that earlier seemed irrelevant may now need reassessment.
- Build a respond and recovery procedure to cyberattacks and data breaches: Prepare a comprehensive yet compact list of actions that staff can remember and act on when urgently required. A 500-page policy compliance document will not help in case of emergency.
- Training employees on IT/cybersecurity awareness programs: Hackers get the best ROI on phishing and social engineering attacks. To prevent the possibility of human-led error, companies need to train and educate their personnel on cyberattacks.
3. Getting it right, every time: Continuous cycle
Typically, a cybersecurity risk assessment report has a very short lifespan and it may even be obsolete by the time it is prepared. That said, the report is still valid and probably the only way to ensure the best methods adopted to protect an organization from cyberattacks.
To make this process operative and valuable it needs to be done in segments that are autonomous as much as possible. A common mistake is when organizations only have an annual comprehensive end-to-end cybersecurity risk assessment that covers the entire business.
The best approach is to form a continuous cycle of cybersecurity risk assessment that includes a vulnerability assessment and security penetration testing of publicly or externally exposed resources and internal ones. As mentioned previously, its aim is to identify the various information assets that could be affected by a cyber-attack, assign the appropriate risk levels, and apply security measures and controls to minimize and contain the results of a successful cyberattack.
4. Seek cybersecurity help when necessary
While users can do it on their own, it’s better partnering with a company that has the expertise with cybersecurity risk assessments. It’s also good if the cybersecurity advisor has knowledge and work experience within appropriate market segments because it provides advantages such as:
- Help in selecting the right cybersecurity framework
- Provide guidance in regulatory standards
- Inform of the benchmark score expected
- A bonus is if the partnering company aids in implementing the process and controls resulting from the cybersecurity risk assessment.
It’s never too late or too early to conduct a cybersecurity risk assessment or to change your methodology of approach to the problem.
The bitter truth is companies will end up spending a lot on cybersecurity – or if asking an expert, too little compared to the potential risk the company may be facing. A cybersecurity risk assessment helps companies make informed decisions on where to spend money. You will need to make smart decisions balancing risk vs. the spend on protection from cyber threats. Deciding how much to spend is more an art than science.
Erez Ravina is senior security architect at L&T Technology Services, Israel. Atanu Niyogi is practice head – cybersecurity at L&T Technology Services. L&T Technology Services is a CFE Media content partner. Edited by Chris Vavra, associate editor, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.
Keywords: cybersecurity, cybersecurity risk assessment, CRA
A cybersecurity risk assessment (CRA) helps companies determine where they need to focus their efforts and improve company safety.
Using resources judiciously and getting help from experts can help reduce and uncertainty during the CRA process.
What are the biggest challenges or obstacles you’ve faced after performing a cybersecurity risk assessment?