Nick Denning, CEO of IT consultancy Diegesis and veteran of multiple public sector IT transformation projects, shares his thoughts on what makes a successful risk awareness strategy.
Risk management involves identifying, assessing, mitigating, and planning for potential events that could impact a business. This article explores risk management in practice including the difference between operational and project risk. It highlights characteristics of poor risk management and the priorities for a successful cyber risk awareness strategy.
It emphasizes the dynamic nature of cyber risks, the need for constant vigilance, and the importance of practical training, communication, and proactive measures to mitigate risks.
The difference between operational and project risk
Operational risks are those which affect an organization carrying out its regular business and there are two sorts. Frequency risks are expected to occur on a regular basis and we can predict the cost of these over a period. Catastrophe risks are unexpected and might happen only once every 20 years, for example.
Project risks relate to a plan to deliver a particular outcome. External risks might include a new competitor affecting the business case. Delivery risks relate to the ability to complete the required tasks on time, within budget and to the specification needed. A Monte Carlo simulation can predict the aggregated risk across all tasks in the project and show which mitigation and contingency tasks may reduce the overall cost.
Cyber security risk is an operational risk issue
Cyber security risk is predominantly an operational risk issue, where persistent, though changing, security threats are ever present. Cyber security is applicable to projects in that any technology being used or delivered by a project must embrace security by design and comply with applicable standards.
An organization’s defence needs to be proportionate to the level of risk. It should be balanced so that a major investment in one area is not circumvented by weaknesses in other areas. It also needs commitment at a senior/board level to ensure it is taken seriously across the organization.
Cyber security risk awareness strategy
We manage cyber risk using the same mechanisms that we use for any other form of risk management. However, there are significant differences in the nature of cyber risks compared to other risks. In traditional risk management, the risks associated with a particular requirement or business function tend to change slowly over time. In the cyber world the landscape is far more dynamic.
Data stored by an organization or department is attractive to criminals. New technology can introduce fresh vulnerabilities. These can be exploited by threat actors before software patches or fixes can be implemented. These factors necessitate a more rigorous approach to cyber risk assessment. Rather than carrying out a point in time exercise, potentially every configuration change, product patch, or upgrade needs to be risk assessed and authorised by the organization potentially via a Change Advisory Board.
A key element of a cyber risk management strategy is to acknowledge that some attacks will be successful. Creating multiple layers of protection with appropriate monitoring and alerts means a successful attack on one layer can be detected giving time to enact contingency plans before the next layer is penetrated; and, as a consequence, the overall attack is defeated.
Effective risk awareness
Cybercriminals use psychology to manipulate individuals and deceive them into compromising security measures. We need to ensure that cyber security risk is constantly in people’s minds and that they are regularly reminded how to recognise threats.
An effective cyber risk awareness strategy needs to include:
- Onboarding training including all topics in the organization’s security policy in digestible sections relevant by job function.
- Regular exercises to verify staff have absorbed training and are following policies with reminders of the consequences.
- These exercises need to be varied, interesting and made relevant to each individual.
- Re-assessments and changes to the probability/size of impacts need to be communicated so people realise when there is a heightened risk level.
- Engage everyone to report attacks or near misses to update the threat level so colleagues can take immediate action.
- Staff must understand it’s their obligation to report suspected attacks without blame.
The biggest risk is complacency, resulting in people discounting the probability of a risk affecting them.
Characteristics of poor risk awareness
The tell-tale signs of a poor risk awareness strategy include:
- A policy ignored, creating a sense of false security,
- No method of detecting whether attacks are occurring,
- No way of disseminating information,
- No effective security officer responding to alerts and taking action,
- No support systems,
- No security assessment process as part of procurement,
- Poor unrefreshed training that falls into disrepute,
- No testing of users on their training.
Priorities for a successful risk awareness strategy
The director of security must be able to monitor and audit policy compliance and take action if required.
To increase protection, create a ‘White List’ of approved software products/apps. Any other software must be removed and improper installations investigated. Despite clear instructions, individuals often neglect to remove unapproved software. To tackle compliance challenges, use vulnerability assessment tools to detect and remove or disable non-compliant software, outdated software, or software containing new vulnerabilities.
Deploy a system administration tool enabling administrators to remove the unauthorised software remotely. Taking concrete action makes it evident to employees that failure to follow the policies is unacceptable and that a technology solution will be monitoring and maintaining a secure environment.
Nick Denning is the founder and CEO of Diegesis.