Security Think Tank: Seven steps to manage risk of catastrophic cyber attack

1. Document the potential impacts

The particular business model and the specific services that are operated will determine the impacts of such an attack. These will potentially be extensive and widespread. 

It is inadvisable, even if it was possible, for one person to be responsible for documenting these. Deeper insight can be obtained through survey-style communication with key people and teams within the organisation to ensure that the top impacts for different services, products and aspects of the business are raised. 

These need to go beyond the traditional IT ramifications of a cyber attack, such as service interruption or the website being rendered unavailable. The online publication of sensitive intellectual property, such as a client database, or an attack on a key supplier resulting in the inability to produce, ship or sell products, for example, have equally serious implications for business operations.

2. Identify the drivers

If only the overarching source of the risk (the cyber attack, for example) is required, this is relatively easy. It is more difficult if a breakdown of the more specific causes, such as poor patching, use of external devices, responses to phishing email, and so on, is needed.

Knowing the drivers of risk should provide context and insight into the cause of the risk itself and, as such, can lead to actions designed to reduce the probability/possibility of the incident occurring.

3. Assess the worst-case scenario

Think about the worst possible outcomes for each of the impacts identified. Be brave – this is challenging, but critical to truly understand the inherent risk scores – and therefore be able to prepare for them. 

At this stage, it is important to avoid tempering each scenario with the belief that “it won’t happen to us” because this moves away from impact evaluation and encroaches onto probability and risk analysis, which is dealt with in the following step.

4. Grade the probability of each impact happening

As noted above, this should be logically separate from the worst-case scenario assessment to avoid influencing the identification with judgement that reduces (or raises) the probability of potential impacts.

However, at this point, the discussion around whether or not something is likely to happen is relevant. Using a realistic prospect of the likelihood of an impact occurring and multiplying it with the impact score, it should be possible to determine an overall risk factor for each.

5. Think about responses

Having invested time in the assessment process, how to manage the risk with control responses can now be identified. This includes activities to reduce the overall likelihood of the risk occurring – preventative measures such as access-driven virus scanning, firewall protection, server hardening and encryption. 

Reducing the effect of one or many of the impacts is also key, for example investment in security analytics, unified threat management (UTM) or security information and event management (Siem) technology to identify potential attacks quickly, thus reducing dwell time, or adoption of a documented and operational process for quarantining affected assets to isolate infections and prevent the spread.

6. Assess whether the controls are in place and working

Reviewing responses provides the “current” or residual risk score for the enterprise. This involves specifying whether they are fully in place or still in progress and checking that they are having an effect and whether that is in line with expectations and requirements.

This is often where system-embedded controls can be used to get more accurate insights, rather than subjective opinions. For example, reporting the number of “suspicious” incidents identified can inform whether the probability is realistic, whereas penetration testing will help to determine if the desired server hardening is stopping a potential hacking breach.

However, depending on the countermeasures/controls, there may still be cases where the effectiveness or appropriateness of the activities is subjective.

7. Grade the effectiveness of the responses

It is important to know how much of the risk can be managed – assuming that the responses outlined above are in place and working as required. For example, will the control measures reduce the likelihood of an impact by 10%, 50% or more, or remove it completely?

This allows the enterprise to see whether it needs to do more to manage the risk, as well as which responses have the biggest effect, identifying, for example, whether a greater reduction in risk would be achieved through investing in further technology or a more targeted cyber awareness campaign for employees.

If a risk is still present, then time should be spent enhancing the organisation’s business continuity plans to account for these scenarios, such as lack of recovery of key data, and updating critical incident plans for scenarios where the enterprise might have to contact external bodies such as the police, customers or regulatory organisations.

Throughout this process, the quality of the information is paramount – accuracy will be drastically improved with key facts and data to inform the various scenarios. 

Similarly, providing people with appropriate and consistent gradings and measures to quantify the impacts, along with guidelines to help them understand which to select, will also help to ensure greater consistency. This is particularly important if several people are involved in the evaluation processes.

As it is highly unlikely that an organisation will face one single risk for an extinction-level cyber threat, it is potentially worth breaking the main risk into smaller components that can be managed more easily. 

For example, the risk of email spoofing is likely to be driven by social engineering or phishing and the response may be cyber awareness training or a mandatory internet security policy reinforced with appropriate exams and questions, all with the aim of stopping employees from clicking on suspicious links.

This enables “smaller” risks to be grouped together to get the overall visibility of the “top” risk.

Preparing for Doomsday scenarios may seem frightening or unnecessary – or both. However, investing in pre-emptive risk management should be regarded as a good business practice for the 21st century. A company has very little influence in preventing an attack, but it can have a significant degree of control over the responses and recovery strategy (impact reduction measures) that it adopts.