All of life and business activites have a certain risks associated with them. Cyber Security is no different. These are simply risks that need to be identified and managed like any other business process or activity. The trick is to identify what these risks are and make a conscience decision on how to handle the risk.
NIST (National Institute of Standards & Technology) provides a framework for the Risk Assessment process 800-30. This is about 100 pages with appendixes with lots of detail on how to create a comprehensive risk assessment and response plan.
I like to think about this process as simply creating your list of risks, then choosing which option or combination of basic options you are going to apply to the situation.
Fundamentally, in all there are 4 options to deal with a cyber risk that has been identified. These approaches can be complementary to each other and multiple can be used against the same risk.
- Remove Risk
- Accept Risk
- Transfer Risk
- Mitigate Risk
Risks might be the result of having a product or process that does not contribute enough value to the business. Here we can simply remove the risk by turning off the devices, stopping the process or changing the configuration so that it no longer exists. We simply decide the risk is much higher than the value so we remove whatever creates the risk.
Some risks might be low in cost and/or probability of occurring meaning simply accepting the risk and moving on is appropriate.
Other times where we might accept a risk are for vulnerabilities that have no options in the way of mitigation while at the same time turning off or otherwise disconnecting and removing the risk is not viable for business processes.
In any of these cases we might also need to apply monitoring to detect that the risk has been exploited to reduce the damage that could occur as a result.
When the risk comes from a process outside the main activities of the business we can look to transfer the risk to another party. A simple example of this is credit card processing. Many businesses simply no longer collect and store credit card information but purchase those processing services from a third party transferring all the risks to that party.
Other risk transfers can occur during contract relationships. If there is a particular risk or liability with any process or activity, we can incorporate risk transference language into the basic contract with either the vendor or the customer for that risk.
A major new form of risk transfer is Cyber Security insurance. There are a wide variety of policies that can be purchased to transfer the cost of a cyber security event to an insurance carrier. They might pay the costs for the response team to the incident, customer reimbursement, after event coverage services, lost revenues or a wide variety of other expenses. Naturally the details of the exact coverage vary and need careful attention to see if this is a viable option in transferring risk.
Mitigation is what we traditionally think about in Cyber security risk. Here we make best efforts to minimize the risks posed by the area. Everything from patching to implementing two factor authentication on critical systems falls into this category. And as a general rule some type of risk mitigation will be engaged in almost every situation identified as a cyber risk.
But as you can see this is far from the ONLY option when faced with a risk.
As you work your way through the Cyber Risk assessment process keep these top level response options in mind. Consider removing risks that are not adding significant value to the business or process. Accept the risks that are small and not worth the time, money and effort. Transfer risks that have good external solutions to the right party. And mitigate all the risks that exist.