How to Mitigate IT Security Risks: Best Practices for Effective Risk Management

Cyber security risk management (Adobe Firefly AI)

In some ways cyber security risk is just like any other risk that businesses must factor in – geopolitical risks, natural disasters, supply chain challenges, regulation, and compliance risks and so forth.

This is important, because when you communicate with leadership in your organization, framing it in risk terms will yield much better results than using geek speak. On the other hand, cyber security risks can be very different to other risks as they’re often harder to quantify.

One way this can be seen is in cyber security insurance. Only a few years ago, this was a simple exercise (at least in smaller businesses) where you answered a limited number of questions around your security posture and were given insurance at a relatively low premium.

However, half a decade of “big game hunting” ransomware attacks with payouts in the millions have changed the insurance game considerably. Now, the questionnaire is much more comprehensive, and the premiums are much larger, with more exclusions and limitations– with some insurers even exiting the market.

The reason is that there’s not enough stable statistics for insurers to really work out the actual risk – compared to say the risk of a fire in an office building, or an earthquake in a particular area.

They have many decades of statistics in those areas to base their modelling on – whereas cyber security is such a rapidly changing landscape, where even organization with mature security practises and strong cyber hygiene still become victims of the criminals.

The best way for a business to tackle this problem is to develop a risk management plan and keep it alive with regular updates.

There are various frameworks you can base your plan on – and depending on which country or countries your business operates in, as well as the demands in regulatory frameworks that you must comply with, you might be locked into a particular one. Here we’re going to use NIST 800-30 to base the discussion on.

It’s got four steps:

1. Prepare for Assessment
2. Conduct Assessment
3. Communicate Results
4. Maintain Assessment

We’re going to focus on step 2 which has five tasks:

1. Identify Threat Sources and Events
2. Identify Vulnerabilities and Predisposing Conditions
3. Determine Likelihood of Occurrence
4. Determine Magnitude of Impact
5. Determine Risk

In other words, start by identifying threats which are circumstances or event that could potentially impact an organization’s operations.

Then you look at vulnerabilities which are weaknesses in a system, security procedure or implementation that a threat can exploit (think broader than just software bug vulnerabilities). And, since no organization is an island as we’ve learnt over the last few years of supply chain attacks, a vulnerability in a supplier or vendors system can impact your business.

When you combine the threats with the vulnerability you can then assess the consequences, if this threat takes advantage of this vulnerability, what will the consequence be?

Making a cyber risk management plan (Adobe Firefly AI)

In concrete terms, identify all your assets and prioritize them based on importance to the business. Then find all (known) vulnerabilities and threats in your environment. Apply security controls to mitigate vulnerabilities, based on the priority of the affected assets.

Then determine the likelihood of a threat event occurring and estimate the potential consequences. This is then a matrix of all the risks that you can use to prioritize and manage risk decisions and responses.

Three things to note here – first it’s really easy to write a paragraph like this, it’s a whole different ballgame to actually do it – particularly in a large business.

Secondly – identifying all vulnerabilities is impossible because there are so many that you don’t know about.

But the point is that you have to start somewhere, if you don’t bother to identify the known vulnerabilities, just because there are ones you don’t know about yet, you won’t get a version 1 of the plan, that you can then iterate on as more information comes to light.

And thirdly, this whole exercise isn’t something the IT department, or the security team can do on their own – this takes involvement by representatives from the whole organization, who’ll each have a view of the risks, vulnerabilities, and threats to their part of the business process.

Now that you have identified, prioritized, and assessed the risks, it’s time to start looking at the appropriate controls to mitigate these risks.

These range from low-tech approaches such as if the accounting department receives an email notification about a change of bank account details from a supplier, they follow up with a phone call to verify this (to a known phone number, not the one supplied in the potentially fraudulent email).

To address security flaws in systems and applications, apply patches as soon as possible, based on the business priority of the asset.

And to mitigate identity-based attacks, ensure that users are logging in using strong authentication such as MFA, and move towards phishing resistant systems such as Windows Hello for Business, Passkeys and FIDO 2 hardware keys.

There are many other risk mitigation approaches: to stop inadvertent data sharing, use a Data Loss Prevention tool, to maintain data governance use an Information Protection tool, to manage the risks from staff (either inadvertent or intentional) apply an Insider Risk process and tool, to minimize the risks from malicious emails use a strong email hygiene solution, and for times when these controls fail, ensure continuous Security Awareness training.

If you need to reign in data sharing, in general or if you’re preparing to roll out Copilot for Microsoft 365, use a good data governance tool.

Remember, this isn’t about new shiny tools that’ll solve all your security problems, it’s about having a plan, with both identified and prioritized risks and building mitigations to the risks just like you do in any other area of your business.

Fire is a risk in an office building, so you mitigate the risk by installing smoke detectors, fire extinguishers, and train your users with evacuation drills.

However, if you have a plant with flammable chemicals, the risk mitigation will include additional systems to minimize the risk. In the same way you must have baseline security controls to mitigate “normal” cyber risks, but more stringent controls for administrative accounts or Domain Controllers.

When calculating the potential monetary damage to your business don’t forget to include operational costs (time and effort to restore systems), perhaps the cost of the ransom itself if that’s the attacks and you do decide to pay, but also fines for non-compliance with regulations.

There’s the cost of loss of clients or potential new sales that won’t be realised, and the overall loss of trust which can be hard to quantify.

The plan is only version 1.0 once you have it in place – it’ll require continuous maintenance (quarterly reviews?) as vendors and suppliers change, IT systems are updated and changed, regulations are altered and the security landscape itself changes (daily).

Remember that there will be some risks that you can’t fully mitigate, at least not without investments far beyond the actual business value of the vulnerable assets, and these risks must be documented and accepted.