Any good security program is multi-faceted, frequently updated, and managed with vigilance.
At Relativity Fest 2019, Darian Lewis—a security architect on Relativity’s Calder7 team—shared with attendees how documenting the risks you may be exposed to can help set an important foundation for building and implementing security best practices.
During his session—“Cyber Risk Reduction in the Legal Environment”—Darian explained the ins and outs of how to assess and mitigate the risks in play for your organization.
What is a Cyber Risk Assessment?
There are two kinds of risk analysis: the theoretical kind that takes place around a conference table (with an undercurrent of fear over the unknown) and the practical kind that uses data to help teams understand their exposure and defend themselves against it.
Darian told attendees, of course, that the practical analysis is the kind you want. And that starts with a formal risk assessment.
His instructions were straightforward: “Create a real, based-in-reality list of risk calculations to help you prevent, prepare for, and confront threats as needed. It will help you determine whether you’re meeting your company’s security goals.”
But what should such a list look like?
Put very simply, a formal risk assessment requires the following steps:
- Start with a statement of intent. Why is building a security protocol important to your organization? How does investing in this priority support company goals? Writing down exactly what your security protocol needs to accomplish will help you frame your responses to different threats and allocate resources to the ones that are most critical.
- Identify your risks. Create a list of potential vulnerabilities—based on existing protocols, lessons from your history or industry news on cybersecurity breaches, and simple common sense (like the risk of a break-in)—at a high level. Capture as many of them as possible to get a full picture. Then, home in on the ones you think are most dangerous.
- Use data to quantify those risks. Online resources and security vendors can help you understand the relative likelihood of a given risk actually affecting your organization based on a number of factors. List these probabilities in your assessment to better understand your vulnerability and prioritize your defenses.
- Map the risks to your existing action plans. You should include a deep understanding of the protocols and action plans you already have in place to deal with each of your highest-priority risks. Don’t have those yet? Start building them.
What to Do with a Risk Assessment
Once you have a risk assessment completed, how can you use it?
According to Darian, there are three simple ways to act on the exposures you’ve identified:
- Mitigate the risk. This is where the real work begins: adding controls to prevent that risk from becoming a threat. You may be able to do this in-house or need to bring in experts to help you plan and execute.
- Transfer the risk. If there’s something you lack the resources to cover yourself, you can transfer the risk by purchasing cybersecurity insurance.
- Accept the risk. This is the worst choice, but there are some things you just can’t do much about (for financial or practical reasons). Still, have a fully baked plan for how to manage them if the worst does happen.
It’s worth noting that a documented risk assessment may be required for purchasing cybersecurity insurance.
Though many people think otherwise, those policies aren’t a catch-all for organizations who don’t have the time or inclination to implement cybersecurity best practices and want to be covered anyway in the event of a breach.
“Insurance companies won’t pay if you didn’t take basic steps to protect yourself,” warned Darian.
Finally, remember that building this assessment is important, but updating it frequently matters just as much. To keep it relevant, revisit the data at least annually—but quarterly or twice per year is best.
“You want to know what you’re defending against, how to spend your dollars, and where to put in other types of resources to help improve security posture,” Darian explained during his session. You can’t do that effectively with information that’s more than a year old.
3 Tips for Basic Risk Mitigation
A risk is the potential of something happening in a statistical sense—whereas a threat is a much more immediate danger. Risk mitigation is about preventing threats from touching you in the first place, and that means proactive procedures that establish appropriate defenses in the right places.
According to Darian, these are some of the most straightforward walls you can start building to prevent risks from turning into threats.
No. 1: Catalog the software and hardware your company uses.
Some of your risk exposure will be relatively straightforward to mitigate. For example, software and hardware vulnerabilities can be managed largely by monitoring your technology providers’ regular security updates and patches, and implementing them as quickly as possible in your systems.
The hard part is knowing which hardware and software your employees actually use and how they access it.
It sounds simple, but it’s a lot easier said than done. Having robust IT policies and regular check-ins with teams and employees around the company to capture their technology usage and habits are critical steps in minimizing the unknown.
No. 2: Build firewalls with tech solutions and threat intelligence.
Securing your network means making it less accessible to bad actors. It’s a no-brainer when you have hundreds or even thousands of employees accessing the internet every day.
Darian drove this point home mathematically for the tech experts in the room: “Exposing every single one of your computers to the internet is increasing your risk surface by a factor of n. Operate with a trust function of zero.”
Conducting regular threat intelligence and implementing security protocols on your networks will greatly reduce your exposure.
Using tools like firewalls to lock out untrustworthy websites and apps, and email gateways to detect malware and phishing before they reach your employees’ inboxes, can eliminate some threats completely.
Practicing threat intelligence can help you account for some of what remains. This could mean regular network scans for suspicious behavior, purchasing threat intelligence data from a trustworthy vendor, and/or regular reporting, logging, and patching of vulnerabilities—all good practices for a strong security protocol.
No. 3: Don’t neglect the non-digital world.
Many data breaches begin at the email level. Hackers evolve quickly, and no amount of malware or phishing filters can keep everything out of your employees’ inboxes. When those digital protections fail, you’re left with human intelligence to thwart off threats.
“People aren’t just your weakest point: they’re the strongest, because they’re the first line of defense between you and an attacker when properly trained,” Darian reminded Fest attendees.
Understanding phishing, social engineering, and physical security isn’t just on your team’s list of responsibilities—it’s on everyone’s. So get off the networks and be sure to conduct regular trainings, phishing simulations, and employee handbook updates to keep your whole organization educated on how to help defend the data with which they’ve been entrusted.
According to Darian, this might be the most important step of all.
“If you do anything, you should try to convince everyone that sits in front of a computer in your organization that everything could rest on them,” he said. “They can be a target, and they need to know how to conduct themselves in a way that