As noted in another article, the global pandemic has seen a huge change in how people work, live, shop and communicate. We have seen businesses totally change how they interact with their customers. Business to consumer organizations have seen the biggest changes, but it has also impacted business to business organizations. Traditional approaches to basic business functions such as sales, marketing, supply chains and customer service need to be reimagined and focused. Many new developments and technologies that have come out of the COVID-19 era will forever change how we do things.
One of the more negative aspects of the COVID-19 pandemic is the dramatic rise in the number of cyberattacks over the last year. According to reports, cyberattacks tripled in the second quarter of 2020 over the first quarter. Losses from cybercrime increased by 50% over the last 12 months. Cybercriminals have taken this opportunity to ratchet up their attacks, both in frequency and scope.
According to recent FBI reports, the number of complaints about cyberattacks to the FBI Cyber Division has grown to as many as 4,000 a day. That represents a 400% increase from what they were seeing pre-COVID-19. According to a Microsoft report, phishing and social engineering attacks have increased to close to 30,000 a day in the United States. Ransomware attacks have jumped 800% since the beginning of 2020.
Sales of security technology and software are forecasted to exceed $170 billion by 2022. Companies are beginning to take security more seriously, realizing that this is a business issue not just an information technology problem.
As with any fire drill, when a company is under siege from a cyberattack or has experienced a ransomware event/data breach, business and technology executives will look to address the problem quickly. Typically, this means purchasing additional security technology, software or services. Many organizations will look at outsourcing their security function, thinking they can completely transfer the risk another organization. Unfortunately, they eventually find out that they will not be able to remove themselves from all the risk and liability.
The problem with these approaches is that nobody has really diagnosed the problem. Most people wouldn’t be comfortable if they went to the hospital only to be given a prescription without being examined and diagnosed. Why would an executive be allowed to spend tens or hundreds of thousands of dollars on technology if they don’t know that it will solve the problem? If you are not certain that the solution will mitigate or even reduce the risk to the company, you are just guessing, and it is probably not a good guess.
You Can’t Manage What You Haven’t Measured
There are two old sayings that most companies should take to heart: “You don’t know what you don’t know” and “You can’t manage what you can’t measure.” When it comes to business risk, too many companies do not have a clear understanding of what their risks are and the actual financial impact of those risks on the company. Many of these companies have built or implemented expensive security organizations without knowing if these expenditures and resources would actually mitigate or even reduce the financial impacts of their risks.
RISK: A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities (BusinessDictionary.com)
With traditional risks, that loss can be financial, reputational, operational or legal/regulatory. If we are referring to cyber risk, the loss is due to a cyberattack or security incident resulting in a financial, reputational, operational or legal loss.
Too many organizations confuse having an information security program with a risk management program. Many of those same organizations think that security and risk functions are both part of information technology. Let’s be perfectly clear – knowing the risks and the security posture of your digital assets is a business issue. In previous articles, I have described the importance of implementing a robust governance, risk and compliance strategy which is critical for business resiliency. The three components of this strategy are your information security program, your compliance program and your risk management program. If you think of it as a pyramid, the risk management program sits on top of your compliance program, which in turn sits on top of your security program. Security threats and vulnerabilities from your security program, along with non-compliant controls from your compliance program, are fed up to your risk management program. What I have typically seen is a company will start building their security program around a specific regulatory or industry compliance standard, such as PCI. This is better than nothing, since PCI DSS does require you to have existing policies, operational processes and technology controls. However, it does not provide an overall view of your security posture, since most of these standards have a narrowly-focused scope and do not address the security controls of all the organization’s critical digital assets. It also does not allow you to measure the effectiveness of the controls in place since the standard is based on a point in time.
When asked, many business executives say that they perform risk assessments as part of their security or compliance requirements, but these are only done once a year at best. Risk Management is NOT a STATIC activity or annual event. Risk Management needs to be a dynamic activity since risks are constantly changing. Most risk assessments are typically based on a qualitative approach within an industry standard from NIST or ISO. This type of risk assessment is useful to help a CISO prioritize issues and activities, but does little to help a CEO understand what the financial impact of a specific risk is on the organization overall.
Inherent Risk vs Residual Risk
Most risk assessments are based on a set of controls that are defined by industry standards. These controls should be evaluated as part of the overall risk analysis process to determine Residual Risk. Calculating risk without including existing security controls is called Inherent Risk. Determining both inherent risk and residual risk is critical in determining the financial impact of a risk as well as the mitigation costs. Inherent risk determines the financial impact without any controls in place; in other words, this is the worst-case scenario. Residual risk is determined by incorporating the existing controls into the calculation, which gives you an accurate picture of the risk based on your current security posture.
Understanding Your Data
There are several risk methodologies used in the industry today. Most are focused are around a set of controls that are used to measure risk. What is clear is that the process needs to begin and should be based on the digital assets the company is trying to protect. Identifying and classifying these assets by their value to the organization is the first step. Determine what assets are the crown jewels of the organization, namely those that would impact the organization the most if they were exposed or stolen. Next, identify the critical assets to the operations of your business. Finally, clarify which assets should be considered company confidential.
Once you have categorized your digital assets, you can now determine which assets are used in each of your operational processes and transactions. You will also determine who needs access to the asset as well as what kind of access is needed. The location of the asset, and confirming if there are multiple versions of the asset, is also critical.
The next step will be to build an asset inventory of all the hardware, applications and system software, then group these assets by the specific system they support. Each group of assets will be assigned a value (asset value) based on the actual replacement cost of each asset as well as the overall cost to the company if the system is not operational (usually defined in hours).
Creating Your Risk Registry
Building out the risk registry can be done in tandem with the asset inventory. Risks are typically defined in three categories: (1) Business Interruption Costs; (2) Data Exfiltration Costs; and (3) Regulatory/Contractual Costs.
Examples of business interruption costs are denial of services disruptions and ransomware, where your critical files have been encrypted and your systems are no longer usable. Business interruption costs can be determined by calculating the value as well as the cost of the system transactions produced in one hour, multiplied by the number of hours it will take to resolve the disruption.
Ransomware can also be considered a data exfiltration cost since in many ransomware situations, the cybercriminal also creates a copy of your data before the encryption occurs. IBM has calculated that the average cost of a stolen record is $141. It is three times higher for personal health records. This can be calculated using the number of records stolen multiplied by the cost per record.
Regulatory/contractual costs can occur when a regulatory body such as GDPR or the State of California issues fines to an organization that has incurred a cyberbreach. Typically, this is related to personal privacy data that was stolen. Government organizations such as the Office of Civil Rights (HHS), FCC, FTC, CFBP, SEC or the Payment Card Industry (PCI) can also issue fines. Third-party contracts may also include fines or compensation in case of a cyberbreach.
Metrics and Measures
You now have all the pieces to perform the measures and metrics for the quantitative risk calculations.
The next step is to determine likelihood. Likelihood is the probability an incident will cause damage. This is determined based on various factors, such as:
- number of users of the system(s)
- types of users
- location of system(s)
- third-party access
- prior breach history
- security awareness of the staff
- and many other factors that could impact the likelihood
You can now calculate the inherent risk cost by multiplying likelihood score and asset (group) value
To determine the residual risk, you will need to include the results of the qualitative risk assessment, which identifies what cybersecurity controls are in place and their effectiveness. It is important to determine a severity rating for each control (typically seen as a score from 1 to 5 and sometimes displayed as low/medium/high or green/yellow/red). This can be performed utilizing a standard risk controls framework like NIST 800-30 and/or a questionnaire to evaluate maturity level (such as CMMI).
The residual risk calculation is as follows:
Residual risk = inherent risk – (score of findings + vulnerabilities + threats(incidents))
Residual risk typically should be lower than inherent risk since the assessment of the security controls should reduce the overall risk. However, existing vulnerabilities and threat incidents may increase the residual risk.
Implement a Risk Management Program
Assessing and managing risk is not a one time or annual event. Risks like security threats or events are dynamic and frequent. Risks continually change and new risks need to be added on a continuous basis. It is critical that organizations implement a robust risk management program to complement their information security and compliance programs. Providing a process to assess, monitor and manage risks on an ongoing basis allows executives to clearly understand the financial impact to the business, allowing them to prioritize whether they can accept the risk, transfer all or part of the risk to cyber insurance/a third party or take action to mitigate the risk.
Key components of the risk management program are as follows:
- Initial risk assessment to provide a baseline for measurement. The process outlined above will be used to obtain the initial results
- All data from the assessment will be imported into a repository that will provide an executive summary or dashboard of the risks and financial impacts. Mitigation costs should also be presented here. Ownership of risks and controls will be established so that notifications and alerts are sent to the appropriate risk/control owner.
- An internal or external risk monitoring team will be established to monitor changes in risk as well as evaluate any new risks that may occur.
Executives/organizations that choose not to implement a robust risk management program on top of their security and compliance programs will not have accurate information with which to make effective decisions. This can negatively impact their ability to prioritize expenditure and resource allocations.
If you have questions about these steps or anything else covered in this article, please contact the author, Jeff Brown.