Security Think Tank: Key considerations for determining cyber risk

The world can be a hostile place both for people and for organisations, but do you know what risks your organisation is subject to and do you know how to quantify those risks? 

We can define a risk as the probability of a threat successfully exploiting a vulnerability. But we cannot ignore a risk simply because it has a very low probability of occurring. We need to take into account the cost or value at stake should a risk event happen. Can we define a set of key indicators or metrics for our organisation to help prioritise and monitor information security risks now and going forward without diving deep into the nuts and bolts?

While no two organisations will have exactly the same risk profile, it is possible to identify a group of indicators that organisations can pick from, but noting that the identified group is not exhaustive.

My starting point would be the preparation of a Business Exposure Matrix which should be reviewed at a senior and/or board level at least annually. This matrix would identify the various business exposures to an organisation (the indicators) and for each exposure detail a narrative, the impact on the organisation should the risk be realised, a “traffic light” risk assessment and set of proposed actions.

 A “green” traffic light would be low risk with low impact, whereas a low risk indicator with a high value at stake would be “amber” at the very least. A high risk with low impact could be an “amber” or a “green” traffic light depending on exactly what the impact was. 

An example exposure could be reputational damage. The narrative might identify that a malicious social media campaign saying that the company’s e-commerce website had been hacked and credit card information stolen would impact reputation and hence sales. Irrespective of whether the event actually happened or not, the company would be on the backfoot.

The narrative might identify that the company does not have processes in place to handle this type of event nor any process in place to monitor social media for such malicious content. It’s likely this type of event would be an “amber” traffic light and the actions could indicate the necessity of establishing a contract with an outsource PR company to both monitor social media and handle the media (newspapers, TV, radio) should any event that would attract public interest happen.

Another example exposure, though not an obvious information security one, would be a major extended power outage. Here, the narrative might identify that the company was based on a single site and while it had battery-based uninterruptible power supply (UPS) for its IT, there was no on-site generator and no contract for a mobile generator to be brought to site.

An extended loss of power could severely impact the organisation’s ability to conduct and manage its business, potentially leading to it being unable to trade. The “traffic light” would certainly be at “amber” and possibly “red”, and the actions should include reviewing and updating the business continuity and disaster recovery plans.

What other exposures or indicators might there be? A non-exhaustive list: 

• Forced evacuation of premises (due to flooding, damage to sewerage system putting toilets out of action, nearby police action, etc.). At times like this, infosec defences might be degraded.
• Company-held data leaked to unauthorised third parties. Could lead to loss of business (client lists or new project information) or Information Commissioner’s action under General Data Protection Regulation (GDPR) rules (staff and/or client/customer personal information) resulting in fines and potential loss of business.
• Disgruntled or criminally compromised employees disrupting a company’s IT system or leaking company data (due to poor HR and/or management practices).
• Malware getting into the IT system potentially destroying valuable company data (could put the company out of business). Possibly due to inappropriate handling of email attachments by staff.
• Lack of or the non-enforcement of an acceptable usage policy of the company network and facilities including the connection of staff owned items to company equipment (introduction of malware and ransomware).
• Poor IT and/or infosec processes and practices leading to effective hacker activities or allowing the uncontrolled spread of malware across the IT infrastructure (could put the company out of business).
• Not maintaining the IT infrastructure to current manufacturer-supported levels. This could potentially invalidate any cyber insurance, make defending a GDPR case more difficult or be a deal breaker.
• Poor building security and practices potentially allowing unauthorised access which could lead to the compromise of the IT systems and or data leakage (clear desk, computers left logged in) or loss of IT equipment.
• Business continuity and disaster recovery plans not kept up-to-date and/or not effectively tested. In the event of a disaster, a company might not be able to fully recover and so potentially leading to a cessation of trading.