Cybersecurity revolves around understanding and managing risks. A risk can be defined as anything that can have an unintended adverse impact on a function. Businesses face all kinds of risks – financial, legal, operational, and, of course, cyber risks. Oftentimes cyber risks end up impacting those other categories of risk as well.
With so many things on their plates, security at small businesses sometimes take a place on the back burner while critical business functions are being addressed. Important security steps need to be able to be implemented quickly for IT to not get bogged down. Assessing, analyzing, and then managing risks are fundamental to security systems. There are ways in which these tasks can be completed in a timely fashion to accommodate the busy schedules of IT staff. In this article we will offer several tips on how small businesses can successfully perform a security risk assessment and then analyze that risk in order to optimize security.
What is an information security risk assessment and risk analysis?
A risk assessment involves identifying vulnerabilities and security gaps that exist in an organization’s security controls. It gauges how your organization’s security systems hold up against various threats. It also looks at the consequences that these threats may have on the system’s vulnerabilities.
Security risk analysis involves weighing the risks discovered in the risk assessment. This is where you ask questions like – is it cost effective to fix the risk? What is our risk appetite? Will there be a worthwhile return on investment if we negate the risk? Which risks are most likely to occur? Which risks pose threats to critical assets such as sensitive data?
Tip 1: know what you want to get out of the security risk assessment before you start
Why should I conduct a risk assessment?
Performing a security risk assessment allows you to identify vulnerabilities and risks. Doing this proactively before your organization falls victim to a cyber attack can save money in two ways. First, it can minimize threats to your system. Cyber attacks can be very costly, with an average data breach costing over $4 million dollars. Secondly, it can maximize the effectiveness of security budgets. Without doing an assessment, IT teams may overspend in areas which are not prone to risk while ignoring others which are.
Security risk assessments vs security audits
Some small businesses opt for a security audit instead of doing a more in depth assessment. Security audits can be done with fully automated vulnerability scanning tools. These can be used in conjunction with a security risk assessment, but on their own leave out critical steps which an assessment process covers. A security audit just looks at vulnerabilities, whereas a security risk assessment also looks at risk as a function of threats, their consequences, and a system’s vulnerabilities. The audit looks at just one part of the picture without looking at how risks affect your organization’s specific security posture.
Identifying contexts of risk
Identifying the context of your risk means understanding the landscape of your stakeholders and your organization. Stakeholders such as customers, business partners, and regulators all have a perception of how the risk tolerance of your organization should look.
Customers generally expect the business they are communicating with to be trusted with their information. Their perceptions may be based on being unaware of security threats that exist, but nevertheless, they should be kept in mind particularly when their sensitive data is on the line.
Business partners should take each others’ risk management practices into consideration. A risk assessment should look at third party vendors and business partners as possible vulnerable areas where threats can infiltrate. And lastly certain regulators may require varying degrees of security controls be in place depending on an organization’s location and industry.
The other kind of context to consider is internal context. This refers to how those inside your organization think about risk. What are their risk appetites? What is the company culture like? Does the organization prioritize security, or do they see it as more of a background process?
Knowing these contexts will allow you to come up with your plan for what to do once the security risk assessment is complete. How will you take this knowledge and use it to assist in mitigating risk? As a small business, this likely means addressing where adjusting your technology infrastructure will best address identified risks. This will guide the budget going to vendors which supply your tech stack. The second part of your plan should focus on who is in charge of the risk assessment, and how the process will take place. These lead us into tip # 2.
Tip 2: Understand the risk assessment process
Who conducts a security risk assessment?
The answer to this varies depending on who handles security in your organization. For smaller organizations the responsibility will usually fall on the IT department to perform the security risk assessment. Internal security teams have the advantage of being intimately familiar with the organization’s security architecture, as well as corporate culture. While larger organizations face the difficulty of navigating disjointed governance and siloed information, smaller organizations may have the problem of having no internal security team at all. In this case, consulting agencies can be hired to perform the required assessment and analysis.
Risk assessment frameworks
A risk assessment framework (RAF) is a term used to describe a company’s strategy for security risk assessment. Institutes such as the National Institute of Standards (NIST) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) have put out frameworks they recommend.
Many of these institutes, including the two just mentioned, mainly write with a focus on enterprises rather than small businesses. The main principles of their frameworks can still apply but a small organization may see benefit in modifying their strategy. We will discuss a strategy geared towards small business using the basic principles from these established frameworks.
Risk registers
Risk registers are used in the risk assessment process. These registers are documents where you can make a written record of cyber risks you have identified, the analysis of those risks, what the response to those risks will be, and who owns those risks. We will discuss how to find these items in detail below.
Identifying risks
Identifying risks generally can be separated into four parts. First, assets must be identified and valued. The NIST Cybersecurity Framework describes assets as “the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes.” An asset inventory is necessary to find where vulnerabilities may be. Giving these assets valuations tells you what your most critical systems are (which systems are integral to infrastructure, where is you confidential customer data stored etc).
The next step is determining potential threats. Threats are potential ways in which a malicious party can exploit a vulnerability in your systems. For small businesses it can be difficult and time consuming to come up with a list of potential security threats on your own. Making use of available data and lists is a way to cut unnecessary time expenditure. The MITRE ATT&CK is one such list available online with a repository of potential threats.
The third step in identifying risks is determining under what conditions a threat may occur. In the first step you did an asset inventory. In this step you are looking at when these assets may be vulnerable to an attack. This is where security audits can help automate the process and point out where vulnerabilities lie.
The last step is evaluating what consequences these security threats can have. Risk scenarios are developed by asking what resources can be affected by the risk and what would the anticipated result be if the risk comes to fruition. Three things to consider are the confidentiality, integrity, and availability of the data. Confidentiality refers to understanding what would happen if sensitive information were made public. Integrity refers to what would happen if data was corrupted. And availability refers to what would happen if data became inaccessible. The next tip will help you further analyze these risks to figure out which security risks take the highest priority.
Tip 3: How to properly perform a risk analysis
Quantifying vs Qualifying risks
Risk analysis boils down to how you interpret risk. Quantifying risk means putting it into objective numerical terms. Qualifying risk is more subjective. Executives often are more likely to give credence to quantified data (how much will this cost vs how much will it save). The difficulty with quantifying data comes from the fact that it can be very difficult to assign exact values to risk. Nevertheless, there are methods which can be used to best quantify risk, as well as methods for qualifying risk which can also be helpful in a risk analysis.
Qualifying risks
In the past a lot of analysis depended on qualifying risk. A typical tool that is used is a heat map, or risk matrix. This matrix has the likelihood of an attack on the y-axis, and the impact on the x-axis. The theory behind using this risk matrix is that it helped with prioritizing risks. Risks with a high likelihood as well as a high impact would take priority over risks with lower likelihood and impact.
There are two problems with this way of analyzing risk which makes some security professionals see heat maps with qualified data as inefficient. They are considered too subjective. There aren’t enough defined factors to place any given risk into a single square on the matrix. Instead, it requires a lot of “feeling” as to where the risk should lie. The risks are not categorized by numbers, but instead by color codes correlating to a risk as low, medium, or high.
The second problem is that they do not give any cost justification to these risks. Executives of companies often rely on cost justifications to make budget changes. Without knowing exact costs, it is hard for security teams to accurately measure which security risks should be prioritized.
Quantifying risks
Quantifying risks means assigning a value to a security risk based on data. This is difficult in cybersecurity where impacts can be intangible. How do you quantify how much damage an attack will cause to your reputation? How do you know whether an attack will cause a loss of share price and market value of your organization? The fact that cybersecurity is constantly evolving and relatively new means there is little accurate data available to answer such questions.
A method to quantify risk that has become popular is called Factor Analysis of Information Risk (FAIR). The goal of FAIR is to translate all risks into financial terms. Two characteristics used to do this are looking at loss event frequency and loss magnitude. Loss event frequency refers to the frequency at which attacks occur. The loss magnitude refers to the cost of the attack, both directly and indirectly.
Sourced from FAIR
FAIR breaks everything down into financial terms. For example, using this methodology you could look at costs to your reputation as the cost of hiring a communication agency to improve PR. It encourages you to consider all costs that will go into incident response.
Which way of analyzing risk is best for a small business?
While quantifying risks is generally considered the better practice, it is often a time consuming process and so small businesses may rely more on qualifying risk. Larger businesses tend to quantify risk because they have the resources to do so. With large businesses it is also often required to quantify risk in order to discuss risks in financial terms with executives. Having a smaller number of employees tends to make communication between IT teams and executives a bit easier as there are less intermediaries on the hierarchical food chain.
Knowing the financial impacts of risk would benefit small businesses, but given constraints on time and resources, qualifying risks can be a good enough practice. It still allows you to identify risks that are most dangerous to your organization. The majority of your focus once you know that should be on these most critical risks. Another solution that can help you quantify data in a timely manner is to utilize automation.
Tip 4: Automation saves time
What if my organization does not have time for a risk assessment?
A risk assessment does not have to be a difficult or time consuming process, and can be adapted depending on the size of the organization. In the long run security risk assessment and analysis can end up saving time and money. Larger businesses have to work around navigating complex systems of governance in their organization. They also have to deal with isolated silos of data and navigating organizational culture as they try to deliver information to the C-suite. SMBs have it easier in these regards, but have limited time, employees, and budget to assess risk. Here automation can be used to save time.
Tools you can use to automate the process
There are dozens of tools out there to help automate risk assessment, risk analysis, and overall risk management. We will give some examples of just a few tools to help you familiarize yourself with what kinds of services they› can provide.
Citalid combines threat and business intelligence to identify risk scenarios and quantify risk. It also helps you develop a strategy to mitigate those risks, balancing efficiency and cost-effectiveness.
LogicGate is a cloud software solution that automates governance, risk, and compliance (GRC). Automating governance helps align IT teams with executives’ business goals. Automating risk and compliance helps to manage risk and ensure it is up to regulatory standards.
Resolver mainly focuses on the early parts of risk management. This tool helps with risk planning and preparation. It automates the security risk assessment and works to identify threats. It then also prioritizes these risks.
SpiraPlan by Inflectra automates many parts of the risk management process, including categorizing risks based on probability, impact, and exposure.
Automation can be a great way to save time on security assessments as well as other security needs. Even so, it is valuable that some member(s) of the IT team fully understand the security systems that are in place in their organization. Tools can be used to aid but are not an ideal replacement for inhouse employees- should the company’s budget allow for that. To learn more on our insights on outsourcing and automation, read our article on alternative solutions to the cybersecurity skill gap.
More fundamental cybersecurity steps small businesses should take
Security risk assessments work best when looked at as an ongoing process. It is generally recommended to perform an assessment annually at a minimum. Using tools focused on automation for some or all of the process can allow for companies of all sizes to perform a security risk assessment and analysis. If the company’s resources allow it these processes can be handled fully by an inhouse IT team.
Once risks are identified and prioritized the next step is to respond to these threats accordingly. Responding to threats are the last steps in a risk management plan. To stay up to date on new insights on risk management strategies for small businesses, as well as other fundamental cybersecurity processes, sign up to PeerWise’s newsletter. We will be posting content regularly to help small businesses manage information security as efficiently as possible.
Leave a Reply