Security Think Tank: Five elements of a key cyber risk indicator

Asking a cyber security professional to choose just one element of risk is like asking a doctor to pick just one lethal infectious disease as a primary measure of epidemic risk. It’s extremely difficult to pinpoint a single aspect to focus on, and every location will have its own environmental concerns that will shape the risk profile, different to the next place.

Ponemon Institute’s 2018 State of data access governance study is one example of this in action, highlighting how organisations across the board are still struggling with visibility and understanding how users, processes and functions expose the business to risk.

There is no one-size-fits-all option, but we can narrow it down to five elements that you need to evaluate to determine one overall cyber security risk indicator (CRI) for the business.

With that in mind, if we take the five factors below into consideration, you can use them to measure, monitor, establish a baseline score and then understand how threats and heightened risk affect that measurement and with it, the business.

That combined measurement will ultimately form your overall organisational CRI. And measuring these criteria is critical to determining and improving the CRI state. If you can’t measure it, you can’t improve it. And if you can’t measure it, you definitely can’t understand it.

1. Data risk: How secure is the organisation’s key information including R&D data, proprietary information such as secret recipes, confidential operational data such as customer lists, payroll information and transaction data? Are software systems up-to-date on patching? Do you have processes in place to ensure that patches and updates are tested and deployed in a timely manner?

2. Malware: The various malicious code attacks that we face on a daily basis pose both a systems and user risk. For example, phishing and social engineering begin by taking advantage of unwitting users before inflicting a potential systems attack.

Similarly, does the organisation protect or monitor its systems regarding the use of external data sources that may contain malicious code (USB sticks, external drives and cloud sync services).

Have known system exploits that can be leveraged by attack vectors such as code injection been patched or addressed? Ransomware – particularly on older systems, poses a great threat – are systems at most risk from ransomware adequately monitored or ringfenced.

3. External disruptive attack: External disruptive factors such as denial of service can be particularly debilitating for companies that rely on being online-facing, such as retailers. Do you have countermeasures in place to combat ad-hoc DoS attacks, and how effective are these when faced with load? What is the peak demand that your web site and underlying database can actually handle? Is the database free of known vulnerabilities that can be exploited by external actors?

4. IAM control: Second only to direct human risk, identity and access management represents one of the largest risk factors for most types of business and should be part of any overall CRI calculation. Who has access to what data? Are ghost accounts (those of users who have left the business) being purged in a timely manner? Is there a process in place to ensure that users do not accumulate unnecessary access privileges?

5. Human risk: Are users adhering to company security policies? Do you have a mechanism in place for monitoring, testing and evaluating whether users following process or circumventing it? Are you investing in regular training for staff so that they know what to do regarding IT security and WHY we do it?