Launching Your Cyber Risk Review
Posted in: Commercial Insurance
Businesses tend to focus most on purchasing the latest technology to protect against cyber threats without fully understanding their organizational exposures. While technology is critical, it should only be a part of a holistic cyber resiliency strategy. A good place to begin for many leaders is to establish a fundamental understanding of cyber risk, how it impacts their organization, and seek cybersecurity strategies that address the people, process and technology exposures. Armed with this knowledge, leaders should embrace their role as a cybersecurity champion for the organization.
Once your organization has a fundamental understanding of cyber risk and how it can impact your organization, the next step towards cyber risk resiliency is to establish a cyber risk exposure baseline specific to your organization. I recommend starting with a cyber risk review. The outcome of this review will not be a complete technical risk assessment, but it will help you and your team build a cyber risk profile to improve internal communication and decision making. The steps discussed below can guide you to better understand what needs to be protected as well as identify security gaps and technologies and external experts you may need to engage to develop and implement your cyber risk management strategy.
Follow these eight steps to facilitate meaningful communication within the organization about cyber risk management and kick-start the cyber risk review process.
- Start With Your Mission: Any cyber risk management strategy should be guided by your organization’s mission and purpose. This helps you elevate cybersecurity to an enterprise risk management function. By starting with your mission, you begin to frame the cybersecurity discussion as a business issue rather than in IT task. Focus on what is most important to your organization so you’re not distracted by trying to defend against every possible threat. In other words, your aim is to protect the data and systems that are essential to achieving your unique mission.
- Understand the Threat Landscape: Next, begin examining the threat landscape from the perspective of your organization. Consider possible vulnerabilities and impacts, and think about other entities you are connected to that might be a target for malicious actors. Consider the threats that organizations similar to yours in your industry have experienced. Be sure to consider any regulatory requirements your organization is required to follow regarding cybersecurity controls and privacy. If you have a cybersecurity team, work with them to identify the most common attacks your organization has experienced, and ask them to help you prioritize the threats and vulnerabilities that are most important for your company to consider. Again, this reinforces the resiliency-based approach — prioritizing activities and investments based on your likely threats that have the biggest impact on your ability to achieve your mission.
- Understand Your Computer Systems and Network: Make sure you have a thorough understanding of your network and the technology you use to conduct operations, including software applications and cloud services. Network maps and data flow diagrams can be useful in the cyber risk management planning process. Be sure you know where sensitive information is saved, and how it is accessed and transmitted. It is also critical to identify, manage, and monitor access to critical systems and data. This process will take time, but it is essential to determine the possible attack surface you need to protect and help ensure you are backing up all mission-critical systems and data.
- Identify and Evaluate Essential Data, Systems, and Services: Identify the data you are required to collect, process and transmit to accomplish organizational goals. Inventory and rank all the applications, software, systems, communication and collaboration platforms you rely on to achieve your mission. This will help you assess the impact and extent of business interruption due to a cyber incident and estimate the costs of a data breach.
- Assign a value to your cyber risk. This important step will improve communication and decision making by connecting the impact of a potential cybersecurity failure to the financial viability of the business. New tools, helping businesses value cyber risk, such as CyVaR, are evolving and can help provide a cyber risk value unique to your organization. Another resource to get the conversation started about the value of your cyber risk is a set of simple questions the National Institute of Standards and Technology (NIST) outlines in its Small Business Information Security
- Set a Cybersecurity Goal and Budget: In the context of your mission and industry, determine cybersecurity goals based on likely threats, regulatory and compliance requirements, current vulnerabilities, and other factors that are common to your type of organization. Identify both a technical cybersecurity goal as well as a cyber risk management process goal.
- Technical cybersecurity goals can also be called Cybersecurity Maturity Models, and are based on proven defense strategies that align with an organization’s likely threats, vulnerabilities and possible enterprise impacts.
- Cybersecurity process goals focus on the business and people aspects of cybersecurity and the overall strategic approach to cyber risk management. NIST’s Cybersecurity Framework provides four cybersecurity implementation tiers that define the risk management process for partial, risk-informed, repeatable and adaptive risk management processes.