Maksim Kabakou - Fotolia
Asking a cyber security professional to choose just one element of risk is like asking a doctor to pick just one lethal infectious disease as a primary measure of epidemic risk. It’s extremely difficult to pinpoint a single aspect to focus on, and every location will have its own environmental concerns that will shape the risk profile, different to the next place.
Ponemon Institute’s 2018 State of data access governance study is one example of this in action, highlighting how organisations across the board are still struggling with visibility and understanding how users, processes and functions expose the business to risk.
With that in mind, if we take the five factors below into consideration, you can use them to measure, monitor, establish a baseline score and then understand how threats and heightened risk affect that measurement and with it, the business.
That combined measurement will ultimately form your overall organisational CRI. And measuring these criteria is critical to determining and improving the CRI state. If you can’t measure it, you can’t improve it. And if you can’t measure it, you definitely can’t understand it.
1. Data risk: How secure is the organisation’s key information including R&D data, proprietary information such as secret recipes, confidential operational data such as customer lists, payroll information and transaction data? Are software systems up-to-date on patching? Do you have processes in place to ensure that patches and updates are tested and deployed in a timely manner?
2. Malware: The various malicious code attacks that we face on a daily basis pose both a systems and user risk. For example, phishing and social engineering begin by taking advantage of unwitting users before inflicting a potential systems attack.
Read more from Computer Weekly’s Security Think Tank about key cyber security risk indicators
Similarly, does the organisation protect or monitor its systems regarding the use of external data sources that may contain malicious code (USB sticks, external drives and cloud sync services).
Have known system exploits that can be leveraged by attack vectors such as code injection been patched or addressed? Ransomware – particularly on older systems, poses a great threat – are systems at most risk from ransomware adequately monitored or ringfenced.
3. External disruptive attack: External disruptive factors such as denial of service can be particularly debilitating for companies that rely on being online-facing, such as retailers. Do you have countermeasures in place to combat ad-hoc DoS attacks, and how effective are these when faced with load? What is the peak demand that your web site and underlying database can actually handle? Is the database free of known vulnerabilities that can be exploited by external actors?
4. IAM control: Second only to direct human risk, identity and access management represents one of the largest risk factors for most types of business and should be part of any overall CRI calculation. Who has access to what data? Are ghost accounts (those of users who have left the business) being purged in a timely manner? Is there a process in place to ensure that users do not accumulate unnecessary access privileges?
5. Human risk: Are users adhering to company security policies? Do you have a mechanism in place for monitoring, testing and evaluating whether users following process or circumventing it? Are you investing in regular training for staff so that they know what to do regarding IT security and WHY we do it?
Scoring a CRI is also open to interpretation, but a simple 0-10 score system like this will suffice in most instances:
0 – No detectible risk (example, an air gapped computer with only single, approved user access)
1-3 – Low risk to the business (example, fully patched, active systems with multiple known users and up-to-date IAM)
4-6 – Moderate risk to the business (example, modern system with no visibility of users or patching history, up-to-date antivirus, but frequently used with third-party storage peripherals)
7-8 – High risk to the business (example, legacy system with limited patch support, multiple users, no clear view of IAM status and ghost account access)
9-10 – Imminent risk to the business (example, publicly-exposed, network-connected PC with no antivirus software or password protection
Ultimately, it is all a matter of measurement. If you can measure it, and the numbers alarm you, then you need to scrutinise that element in more detail. Taking the five elements above it is important to measure all of them, scrutinise the figures of a period in order to obtain a baseline of “safe” or “acceptable risk”. From there, determine a hierarchy of need to the business based on what it is you do and how you do it (this is the bit that is different for every organisation), to determine your primary risk factor.