Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Risk management, across all disciplines, is of vital importance to businesses. Cyber security is one critical element of risk and has clear implications if it is done poorly (or not at all).
If organisations misjudge risks, it can affect their business due to events in the real world –extreme weather conditions, disrupted supply chains, market movements, competitive positioning, foreign exchange rate shifts – can all affect business performance. However, in many of these cases the risks faced are unpredictable and (importantly) accidental, they are the results of things happening that weren’t foreseen – by nature, this means that statistically they can often be quantified in terms of likelihood or impact.
Cyber security does entail an element of chance to managing the risks associated with it, however organisations also face deliberate acts that can cause impacts to materialise. Adverse weather disrupting your business isn’t a conscious, purposeful thing; a hacker breaking into a website and stealing data is a deliberate and conscious act.
Cyber risks are diverse and failure to adequately manage them can lead to:
Much has been written about security risk management in the past and this blog post doesn’t aim to supplement, summarise or supersede any of that. Rather it presents three implications or benefits of doing risk management well, rather than a negative story about getting it wrong.
As a business, if you have good source data about the prevalence, costs or impact of risks you can prioritise which ones are more likely and need attention, and which are less likely or impactful. So, your overall level of risk drops where you have mitigations, countermeasures, controls or checks and balances in place.
Where challenges are well understood, you can operate the business in a way that maximises opportunity and takes sensible risks that you can profit from if they turn a result and manage problems that occur.
A simple example might be around remote access. Imagine you have a good technology approach to providing remote working facilities, with users issued with laptops that can be managed – encrypted hard drives, secure builds, reliable networking, strong authentication and good staff awareness programmes built around a mobile work force.
This means you can reduce office space and provide flexible working arrangements that some skilled employees might specifically seek out. Your business is also established in a way that enables it to survive sudden challenges like the Coronavirus isolation rules we are currently living under and operate globally more easily. Handling remote access to systems and protecting data doesn’t have to be an unacceptable risk if it’s understood and managed.
We know from past security incidents that they often don’t come from highly complex and targeted attacks, but from simpler causes or known problems that could have been anticipated or security “own goals”.
Look at the findings of the ICO fine of BA due to poor cyber security basics, or the WannaCry outbreak in the NHS and Maersk (amongst others) exploiting poor patching, or TalkTalk’s SQL injection hack. Basic cyber hygiene – patching, website testing, anti-virus, staff awareness, good password policies – are key.
A fact that is reinforced by so many schemes from various governments that aim to bolster these basic defences. Examples include Cyber Essentials and the NCSC Top 10 in the UK, Essential 8 in Australia, the cybersecurity health check scheme in the Netherlands and the defence-focussed CMMC standard for DoD supply chains in the US.
Yet still security teams spend a large amount of time firefighting these issues or reporting on the progress in resolving them. Sometimes the time spent reporting itself becomes a resource burden, inhibiting the ability to address the issues that need urgent remediation.
Getting these controls right and being able to trust they are operating effectively, is fundamental. By implementing systematic streamlined measurement and objective monitoring processes organisations not only benefit from less exposure to risk, it frees up considerable amounts of time and resource to think about the more esoteric, complex or organisation-specific challenges that are faced.
It also means that there is less firefighting in the existing environment, and more availability to contribute positively to new business initiatives, technology transformations and projects. Again, better management of risks.
There is no doubt that awareness of any challenge means you have a start point from which to work from. There is an adage that says:
“You can’t manage what you can’t measure.”
Peter Drucker’s famous axiom simply means that it is difficult to make decisions regarding the management of something if the true status of it is unknown. Is patching a problem? Is patching a bigger problem than administrative privileges? Where are patches a problem and where are they OK?
In security, the threats change all the time – new vulnerabilities on Thursday mean Tuesday’s efforts at patching systems are already obsolete. If data on security risks is out of date by several weeks because that’s how long it takes to assess the state of a control, you are looking at data that represents the past, not the present, when making decisions about what to do and what to prioritise. Worse, if that data is wrong, incomplete, subjective or inaccurate then your decisions could easily be wrong anyway.
So good risk management means good risk metrics; timely data about the environment and controls and priorities that are up to date and trustworthy.
Essential 8 Auditor – short video overview
However, security teams are stretched thin, so this accurate risk information needs to be generated directly from controls or automatically with minimal human effort. Human effort means delays, subjectivity and processes that can’t scale. Automated cyber risk audits provide the ‘measure’ that is needed.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.