Every organisation needs to identify threats and vulnerabilities to their IT systems and the people that use them. Doing so, will allow the business to:
Assess the likelihood of adverse consequences happening
Decide how these risks should be dealt with
Without proper risk assessment, it is impossible to properly focus your security efforts. A quick fix, therefore, is to follow 7 steps:
Step 1: Identify Your Assets
What hardware and equipment do you rely upon (look around the office or consult your asset register)
What software do you need (what is installed on your devices)
What services must you have (which websites do you visit)
What information do you use (look through desktop folders and files)
What infrastructure have you got (do you need an office with utilities)
What people do you rely upon (employees are an asset too!)
In essence, this will give you one giant list. A table in a spreadsheet will do just fine.
Step 2: Identify the threats and vulnerabilities
Next, we need to think about what things threaten these resources and whether they are vulnerable.
A Threat is an event or occurrence that has the potential to cause harm or damage to people, places or things or to adversely affect operations.
A Vulnerability is a weakness in a system or asset, such as a security loophole in software. It might also be a lack of protection of an asset, such as an unlocked server room door.
This can be tricky so we have compiled a list at the end of this article – it’s not exhaustive, but it helps.
Step 3: Rank threats
Finally, we need some form of agreed ‘yardstick’ to gauge how serious the threats and vulnerabilities are.
Perhaps like this: 1 = Very Low, 2 = Low, 3 = Medium, 4 = High and 5 = Very High
The overall, risk total is derived by adding consequences and likelihood.
Consequences is the level of potential harm or damage to an asset or organisation if a given threat were to exploit a given vulnerability.
Likelihood is the level of certainty that an incident will occur.
The business must decide, however, what risk score is unacceptable and requires urgent treatment. This is called your ‘risk appetite’ and it is influenced by such things as legislation, regulation, contractual agreements and so on. Any risk that surpasses your risk appetite will be your top priority.
Step 4 Risk Treatment
There are 4 different ways to treat a risk.
Decrease: By implementing controls such as antivirus software, firewalls or a patching schedule
Avoid: Such as banning people from using personal devices to store company data
Transfer: Such as purchasing cyber insurance.
Accept: Because the cost to do something about it doesn’t justify the effort. If you choose this option, always document your reasons and any circumstance in which the decision should be reviewed.
People always go for the most expensive option when attempting to decrease a risk. Be aware, however, that most risks exist because of human behaviour, not because of technology. Sometimes, therefore, a creative approach with minimum investment can make all the difference. Also remember, that any form of risk treatment that mitigates multiple problems and requires little investment is a ‘quick win’. Keep an eye out for quick wins.
With this in mind adapt the table:
Step 5: Frameworks
There are multiple risk frameworks out there, which can help.
NIST 800-37 is used widely in the States and is free to download
OCTAVE Allegro is good for small businesses and the non-technical
ISO 31000:2009 is internationally recognised and flexible
Other publications can help you treat risks. ISO 27001 Annex A, for example, gives use 114 controls to mitigate risk and NIST SP 800-53 does something similar. You could develop a table like this:
Step 6: Action Plan
Making sure your controls are implemented, can also be done with a simple table:
Step 7: Review
Regular risk assessment is important because it enables your organisation to be proactive about threats and to exploit new opportunities by weighing the benefits of new technology. But the process has to be ongoing to be responsive to changes in the business environment.
THREATS: Breach of contract, Breach of legislation, Code injection, Denial of service, Electronic eavesdropping, Escalation of privileges, Fraud, Fire, Flood, Hardware failure, Industrial espionage, Interruption of business operations, Loss of internet connectivity, Loss of power, Malware (virus, worms, Trojans, Keyloggers etc.), Misinformation, Social engineering, Theft, Terrorism, User error, Unauthorised access to data, Unauthorised access to IT systems, Unauthorised access to work site, Unauthorised changes to data, Unauthorised changes to IT system, Unauthorised access to software, Unauthorised use of software, Vandalism (of website, social media accounts)
VULNERABILITES: Application flaws, Excessive privileges, Lack of anti-malware (antivirus, firewalls, IDS, IPS), Lack of business continuity planning, Lack of data classification & data handling procedures, Lack of disaster recovery planning, Lack of encryption & cryptographic management, Lack of incident response planning, Lack of network segregation, Lack of governance / policies, Lack of software testing, Lack of training and awareness, Poor change control processes, Poor DNS / email filtering, Poor hardware / software configuration, Poor logging procedures & log review, Poor management of supply chain security, Poor on-boarding and off-boarding of staff, Poor oversight of physical assets, Poor oversight of software assets, Poor passwords or multifactor authentication, Poor patch management, Poor separation of duties, Poor vulnerability testing.
See something not quite right? Email: EMSOUCyberProtect@leicestershire.pnn.police.uk