Cyber risk management: Basics for your business
Cyber threats had been steadily increasing before the pandemic, but as remote work becomes the norm and international tensions stoke the fear of cyber warfare, we’re entering a new stage of cyber crisis. For businesses today, self-preservation depends on focused cybersecurity and risk management.
How do you manage your cyber risk? You can take some tried-and-tested steps to a better cyber posture, plus a few helpful principles to keep you on the right path. A strong cybersecurity risk management strategy will be:
- Active and continuous
- Based on your unique operation
- A company-wide responsibility
No need to feel overwhelmed — it’s easy to get your cybersecurity program started. Here’s a rundown of what’s driving cyber risk today, the keys to managing that risk, and tips to build a responsive cyber strategy that will serve you well for years to come.
Cyber risk in 2022
The rise in cyber risk might be alarming, but it shouldn’t be too surprising. Simply put, more technology and more digital dealings will lead to more opportunities for bad actors to do damage.
The internet of things (IoT) is growing at breakneck speed, and experts estimate there will likely be more than 27 billion IoT connections by 2025. More people are interacting online, too: in the last decade, the global average for daily time spent on the internet more than doubled from around 75 minutes to 170 minutes per day.
Clearly, it’s more important than ever to manage cyber risk. It’s also more difficult to do so, as risk tracking and response planning are complicated by things like:
- Sensitive data sharing. More information is shared with more third-party vendors than ever before, and that makes for more outside risk to track.
- Compliance challenges. There’s a growing set of rules, regulations, and laws that govern data use and protection (and penalties for disobeying them).
- Changing work environments. The pandemic pushed more people to remote work, and now unsecured devices and networks are commonplace.
- Tighter budgets. The economic challenges that have sprouted in recent years means many must trim (or slash) operating costs, including cybersecurity.
Since these challenges are probably here to stay, you’ll need to adapt. Start with a plan to coordinate your team, aligning on top priorities and targets.
In order to become cybersecure (and stay that way), your risk management strategy needs to be active, shared, and customized.
Building your cybersecurity posture
Every business has a cybersecurity posture, a combination of the strength of the cybersecurity controls and the team’s ability to respond quickly and effectively after a cyber attack. Understanding your cyber posture is the first step to improving it, and that’s where a professional security assessment can help.
Once you know where to focus, you can create an action plan to combat your risk. In order to become cybersecure (and stay that way), your risk management strategy needs to be active, shared, and customized.
Why active risk management?
Trends in cybercrime can be difficult to predict. Some threats like phishing have always been around and continue to cause trouble. Other cyber threats — like double and triple cyber extortion — are testing new tactics and raising the stakes.
If you want to stay on top of this moving target, your team must stay active: monitor the evolving risks, address your vulnerabilities, and respond to threats continually. Using the right tools to automate some of this responsibility will save significant time and effort.
Sharing the responsibility
Working in silos can be a challenge to efficiency, if not a recipe for disaster. When it comes to cybersecurity, your team needs to operate in tandem to ensure everyone is on the same page and there’s a careful division of responsibilities. After all, so much cybercrime depends on small, forgotten gaps, like those that can surface in a disconnected team.
While a single lead can be assigned to oversee each main responsibility, every employee needs to abide by the cyber rules.
No matter the size of your business, everyone should understand what it takes to defend against cyber threats. Here are some security obligations to share:
- Creating policies to determine third-party cyber risk
- Monitoring emerging risks and proposing ways to stay ahead of them
- Auditing tools, processes, and habits to find internal vulnerabilities
- Training teams with up-to-date materials and tested protocols
Accountability is key here. While a single lead can be assigned to oversee each main responsibility, every employee needs to abide by the cyber rules.
Tailoring to your team
Managing your cyber risk means understanding the source of your vulnerabilities, and then determining how best to prioritize your response.
System security, compliance, and employee training can (and should) all play a role in your cyber strategy. However, your industry, type of operation, size of business, and degree of digital reliance all play roles in determining how you focus your efforts.
If your budget is tight, you’ll want to choose tools and processes that can deliver the most protection without having to hire (or expand) an internal security team. Finding out where and how to streamline things can take a bit of research, but choosing a consolidated cyber technology solution is one good option.
NIST Framework
Wondering where to begin? The NIST cybersecurity framework will be a helpful guide as you build your own cybersecurity program.
The US National Institute of Standards and Technology (NIST) outlines five components to organize your cybersecurity, from understanding your risk all the way to recovering from a cyber attack. Here’s a brief overview (you can find more details and resources on the NIST website):
1. Identify
What to do: In the first phase, you’re identifying the risk your business faces — the cyber threats that are most likely to exploit a vulnerability and damage your operation.
Where to begin: A cyber risk assessment is a great place to start. Working as a team, you can categorize your assets and prioritize them, define threats and pinpoint vulnerabilities, and then estimate the likelihood and potential impact of those events.
2. Protect
What to do: This is where you must choose, develop, and implement the security measures that will safeguard your infrastructure, services, and general operations.
Where to begin: Determine which risk mitigation measures you have in place, then fill in the gaps. Software solutions like offsite data backups and multi-factor authentication (MFA) are crucial features; cybersecurity training programs can complement your technology.
3. Detect
What to do: You’ll need the right processes and tools to detect a cybersecurity incident as soon as it occurs, so you can respond quickly to limit the damage.
Where to begin: Endpoint detection and response (EDR) has never been more important to adopt. EDR continuously detects and blocks suspicious activity to protect your business devices from ransomware and other malware.
4. Respond
What to do: Your cyber response should be collective, orchestrated, and rehearsed: effective collaboration and focused teamwork can make all the difference in the heat of the moment.
Where to begin: Build an incident response plan that lays out roles and responsibilities, resources to use, processes to follow, directions for containment, and communication to follow a cyber event. Then, practice that plan.
5. Recover
What to do: Determine how you’ll restore your systems and services after an event to keep your business on track and avoid ongoing consequences.
Where to begin: Every company should have a disaster recovery plan that serves as a guide to restore data and operations after an incident, and a business continuity plan that outlines how to keep things running while you recover. You can find plenty of templates to help you make your plans.
Whatever elements your risk management strategy takes on, commit to regularly reviewing your risk and how well specific measures are working. Monitor regulatory changes, internal technology (beware of shadow IT), and vendor risk to ensure your risk management strategy stays relevant.
Methods to mitigate cyber risk
When it comes to actively limiting your risk (step 2 in the NIST framework), there are a number of avenues, tools, and practices at your disposal. You can build more and more into your cyber risk management strategy over time, but you have to start somewhere — here are some easy methods to implement that promise good results.
Phishing training and tracking
Social engineering is a favorite attack vector, and tactics are advancing. Slight changes to official URLs, cleverly disguised forms, urgent appeals, and a host of other sneaky elements can compel you to open the gate to your system in an instant.
Stay on top of phishing trends as you learn (and teach) how to recognize suspicious messaging. A chain is only as strong as its weakest link, so make sure you periodically refresh your team on how to spot a phishing message and how best to handle it.
Smart password management
Passwords are often the first line of defense, but they’re certainly not the strongest. Did you know that 80% of data breaches are linked to poor or reused passwords? Add to that the tendency to forget passwords as you accumulate them, and suddenly your security strategy can seem a bit shaky.
Improve your password management by using a password manager and multi-factor authentication, never reuse a password, and keep in mind that length is more important than complexity.
The Principle of Least Privilege (PoLP)
The more people who have access to a system, device, or collection of data, the more potential points of vulnerability. The Principle of Least Privilege means giving a person the privileges they need to complete their task, and nothing more.
Traditionally, businesses relied on firewalls to keep outsiders out and allow insiders full access to the network (known as the castle-and-moat model). However, there are all sorts of ways to cross this “moat” and wreak havoc; the PoLP limits the pathways that could lead to a breach, as well as the scope of damage that can be done.
Up-to-date technology
Stale software is a big problem for businesses: around 95% of websites run on outdated software with known vulnerabilities. Patch management (that is, testing and installing system updates promptly) can significantly reduce the chance that an attacker will find a weak spot to exploit.
You’ll also need a few other cybersecurity features, like data backups and MFA to defend against account compromise and ransomware. Favor cybersecurity tech that will fit easily into your existing tools and processes, so it doesn’t take extra work from your team to keep your systems secure.
Comprehensive cyber insurance
Smart risk management will go far, but even the most robust digital defense could be breached. Cyber insurance is your safety net, a mechanism to limit loss and damage from a devastating cyber attack that could sideline your operations for days, weeks, or months.
Aside from the key coverages, your cyber insurance policy should give you access to reputable incident response partners who can be essential to your recovery. From legal counsel to forensics and credit monitoring services, the right incident response team can take much of the burden off your shoulders and save you from an array of recovery costs.
Want to learn more about cyber coverage considerations? Check out this article from Elpha Secure’s Chief Underwriting Officer on how to get cyber insurance for your business.