Cybersecurity Risk Management

In cyber there is the potential for many types of attacks that can occur against an organization.  A successful social engineering attempt where an attacker gains information from a user to carry out an attack.  An employee who is enticed to click on a link from a malicious email which then downloads and installs malicious software designed to exfiltrate data. A ransomware attack where critical company files are encrypted and can no longer be accessed. All of the above scenarios are potential risks many organizations face. Let’s take a look at how organizations can address them.

Risk Identification – The first step of a risk management program is to identify the risks an organization may be facing. For cyber risk, a cyber professional is needed that can help with where the infrastructure may be vulnerable.

Risk Removal – Some risks can be removed totally. An example of this in cyber is a security vulnerability which allows attackers to gain access to a system’s administrator credentials is remedied by a patch released by the vendor. Applying the security patch to all systems in the company removes that risk entirely.

Risk Mitigation – Some risks may not be able to be removed entirely due to costs or other issues, however there may be mitigations that can be instituted to lessen the chance of being affected by a risk or threat. An example of this is employee training. Training and alerting employees to the potential of not clicking on links in phishing emails can lessen the probability of that particular threat being carried out.

Risk Transfer – Some risks can be transferred to another entity altogether. An example of this in cyber could be the transfer of network management function to an outside entity with more expertise. In many cases this can be a great option to deal with certain risks.

Risk Acceptance – Some risks will need to be accepted and monitored. An example of this could be the use of an older piece of software which contains vulnerabilities that could be exploited. The software may be needed to conduct a critical business function and the funds to upgrade the software won’t be available until next year.

Risk Governance – Performing all of the above items on a periodic basis comprises a risk governance program. Other areas that will be included in governance is deciding a programs risk tolerance level, risk team members and an overall risk strategy. Every organization should at least take a look at IT and other risks facing the business so they can decide how to handle them.