Building a Practical Cyber Security Risk Awareness Strategy

Nick Denning, CEO of IT consultancy Diegesis and veteran of multiple public sector IT transformation projects shares his thoughts on what makes a successful risk awareness strategy.

Risk management involves:

  1. Identifying possible future events which could impact the business.
  2. Assessing the probability of each materialising and the size of the potential impact.
  3. Identifying possible mitigation actions to reduce the probability or impact.
  4. Preparing contingency plans to recover after a risk has materialised.
  5. Deciding whether carrying out mitigation tasks is worth it at the appropriate time given the risk level then applying.

Risk Management in practice

A practical example of risk management is pouring concrete for building foundations. If more than a certain amount of rain falls within 24 hours the foundations may be ruined. After identifying such a risk, we need to assess the likelihood and impact of rain including costs, delays and financial penalties.

Mitigation activities to reduce the probability of the risk occurring might include:

  1. Pay for advanced weather forecasting.
  2. Cost the digging of a protective trench ensuring effective drainage.
  3. Obtain insurance costs/lead times.

Contingency planning in the event of the risk happening might identify the cost and resources needed to dig out the foundations and have them ready for a re-pour. This is practical risk management carried out by experts based on an informed decision to deliver the best outcomes for the project.

The difference between Operational and Project Risk

Operational risks are those which affect an organisation carrying out its regular business and there are two sorts. Frequency risks are expected to occur on a regular basis and we can predict the cost of these over a period.  Catastrophe risks are unexpected and might happen only once every 20 years.

Project risks relate to a plan to deliver a particular outcome.  External risks might include a new competitor affecting the business case.  Delivery risks relate to the ability to complete the required tasks on time, within budget and to the specification needed.  A Monte Carlo simulation can predict the aggregated risk across all tasks in the project and show which mitigation and contingency tasks may reduce the overall cost.

Cyber Security Risk is an Operational Risk issue

Cyber security risk is predominantly an operational risk issue, where persistent though changing security threats are ever present. Cyber security is applicable to projects in that any technology being used or delivered by a project must embrace security by design, and comply with applicable standards.

An organisation’s defence needs to be proportionate to the level of risk. It should be balanced so that a major investment in one area is not circumvented by weaknesses in other areas. It also needs commitment at a senior/board level to ensure it is taken seriously across the organisation.

Cyber Security Risk Awareness Strategy

We manage cyber risk using the same mechanisms that we use for any other risk management.  However, there are significant differences in the nature of cyber risks compared to other risks. In traditional risk management, the risks associated with a particular requirement or business function tend to change slowly over time. In the cyber world the landscape is far more dynamic.

Data stored by an organisation or department is attractive to criminals. New technology can introduce fresh vulnerabilities. These can be exploited by threat actors before software patches or fixes can be implemented. These factors necessitate a more rigorous approach to cyber risk assessment. Rather than carrying out a point in time exercise, potentially every configuration change, product patch or upgrade needs to be risk assessed and authorised by the organisation potentially via a Change Advisory Board.

A key element of a cyber risk management strategy is to acknowledge that some attacks will be successful.  Creating multiple layers of protection with appropriate monitoring and alerts means a successful attack on one layer can be detected giving time to enact contingency plans, before the next layer is penetrated and as a consequence the overall attack is defeated.

Effective Risk Awareness

Cybercriminals use psychology to manipulate individuals and deceive them into compromising security measures.  We need to ensure that cyber security risk is constantly in people’s minds and that they are regularly reminded how to recognise threats.

An effective cyber risk awareness strategy needs to include:

  1. Onboarding training including all topics in the organisation’s security policy in digestible sections relevant by job function.
  2. Regular exercises to verify staff have absorbed training and are following policies with reminders of the consequences.
  3. These exercises need to be varied, interesting and made relevant to each individual.
  4. Re-assessments and changes to the probability/size of impacts need to be communicated so people realise when there is a heightened risk level.
  5. Engage everyone to report attacks or near misses to update the threat level so colleagues can take immediate action.
  6. Staff must understand it’s their obligation to report suspected attacks without blame.

The biggest risk is complacency resulting in people discounting the probability of a risk affecting them.

Characteristics of poor risk awareness

The tell-tale signs of a poor risk awareness strategy include:

  • A policy ignored, creating a sense of false security
  • No method of detecting whether attacks are occurring
  • No way of disseminating information
  • No effective security officer responding to alerts and taking action.
  • No support systems
  • No security assessment process as part of procurement
  • Poor unrefreshed training that falls into disrepute
  • No testing of users on their training.

Priorities for a Successful Risk Awareness Strategy

The Director of Security must be able to monitor and audit policy compliance and take action if required.

To increase protection, create a ‘White List’ of approved software products/apps. Any other software must be removed and improper installations investigated. Despite clear instructions, individuals often neglect to remove unapproved software.

To tackle compliance challenges, use Vulnerability Assessment tools to detect and remove or disable non-compliant software, outdated software or software containing new vulnerabilities.

Deploy a system administration tool enabling administrators to remove the unauthorised software remotely. Taking concrete action makes it evident to employees that failure to follow the policies is unacceptable and that a technology solution will be monitoring and maintaining a secure environment.