Develop a Cybersecurity Risk Management Plan for Your Business
Now that companies can automate everything from customer services to procurement compliance, they’ve become more responsive and efficient than ever. However, this heavy reliance on connected technology has made every organization far more vulnerable to cyberattacks.
In this article, we set out how to defend yourself against cybercriminals and how to respond if a hacker gets into your systems. We explain:
- What cybersecurity risk management is
- What’s at risk if you fall victim to a successful cyberattack
- How to create an effective cybersecurity risk mitigation strategy for your company
- Why you need a security team to help your business respond if your IT systems are breached
- The most frequently asked questions on cybersecurity risk management
What Is Cybersecurity Risk Management?
Cybersecurity risk management describes the approach taken by a business or organization to defend itself against data breaches and losing control of its IT network.
Public and private sector organizations that don’t have a cybersecurity risk management program are vulnerable. They risk having their critical infrastructure and information systems fatally compromised by hackers.
Without active cybersecurity risk management procedures in place, you’re at heightened risk of:
- Loss or theft of sensitive data: You can lose access to and control over vital business information like your commercial secrets, intellectual property, customer database, and financial information.
- Being shut out of your IT network: You may not be able to access your apps, website, and other technical systems for a prolonged period of time, stopping you from doing business.
Who Are You at Risk From?
The two main threat vectors you need to be concerned about are:
- Cybercriminals: Worldwide, cyberattackers caused estimated losses of $10.3 billion in 2022. They are motivated criminals who are always adapting their techniques and tactics to maximize their chances of success.
- People you know: Human error is why cyberattacks succeed. Most of the time, your employees do things (or don’t do things) that make you vulnerable. And sometimes, that gives a big-enough window for a hacker to get in. You also may be vulnerable to an internal bad actor, like a disgruntled employee or ex-employee, whose access rights have not been revoked yet.
What Are the Threats?
A robust cybersecurity risk management strategy is your business’s front-line defense against a variety of threats. Here are just a handful of the cybersecurity threats and cybercrimes you need to prepare for.
Malware
Malware is software that’s specifically designed to compromise or damage IT systems. Hackers often hide them in email attachments, and malware gets onto your network when employees open these attachments. Examples of malware include:
- Keystroke loggers: They track and send back the keys a user presses to give cybercriminals clues on what people’s usernames and passwords are.
- Cryptocurrency mining software: They perform complex, processor-intensive calculations to mine Bitcoin and other cryptocurrencies. This can make your IT system grind to a halt or, in the worst cases, cause them to permanently malfunction.
- Malware download enablers: They create backdoors through which further unwanted malware can be downloaded without your knowledge.
Phishing Attacks
Phishing is when cybercriminals use email, phone, and text messaging to try to trick employees into sharing private information, like usernames and passwords, to get access to your company’s Wi-Fi network, online supplier accounts, and online banking logins.
Ransomware
In a ransomware attack, hackers freeze your computer system and/or block access to your company’s sensitive data. They hold them hostage until you pay them a ransom. However, even if you do pay up, there’s no guarantee that they will follow through on their word.
Identity Theft
Cybercriminals hijack your credentials to change your business details at banks, credit unions, and other financial institutions. They do this to take out loans without your knowledge. Cybercriminals may also use your employee and customer information to carry out identity fraud against them.
DDoS Attacks
Distributed Denial of Service (DDoS) attacks overwhelm your website or IT network with sometimes millions of simultaneous requests for information. Too many requests and your system will slow down or crash. DDoS attacks can cost millions to businesses that rely on online sales or remote communication.
Internet of Things (IoT) Attacks
Often, connected devices like printers, door access panels, and security systems don’t have the same high level of protection as other network equipment like Wi-Fi routers. This provides hackers with an easier way to break into your IT system.
Man-in-the-Middle Attacks
Cybercriminals often create spoof Wi-Fi connections in public places. They do this to trick people to log on to it so that they can eavesdrop on other people’s browsing.
What Are the Risks of Getting It Wrong?
If your IT system and information security are compromised by cybercriminals, you may be subject to the following:
- Financial loss: You may lose money from theft and fraud. Plus, you won’t be able to do business while your systems are down.
- Reputational loss: You’re likely to lose customers who don’t trust you to keep their data safe.
- Legal costs: You may be liable for state fines depending on your location. In addition, affected customers and stakeholders who have suffered a loss may bring a class-action lawsuit against you.
- Remedial costs: Depending on the level of damage, you may have to pay out a lot to developers and system experts to return your systems back to normal.
4 Steps to Build Your Own Cybersecurity Program
Take the following four steps to build a customized strategy for managing cyber risk to protect your business or organization.
1. Decide What’s Important to Your Business
Make an inventory of all the data your business holds and delete the information that you no longer need.
You then need to decide how much access individual employees have to the data. For example, your reception team won’t need to see as much customer data as someone in sales or customer support.
The more you restrict access to information internally, the harder it is for hackers to get at it during an attack.
2. Run a Risk Analysis on Your IT Systems
Check that all the software and apps on your systems are up-to-date with the latest patches and that employees still actually use them.
Employees can compromise your IT security if your terminals allow the use of devices like CD-ROMs and memory sticks. They may accidentally upload viruses to your system from these devices or intentionally download valuable data without you knowing.
Likewise, “bring your own device” (BYOD) policies add extra vulnerabilities. For example, if an employee loses a tablet that logs in to your system automatically, the person who finds it now will be able to do the same. You might also want to make a list of all devices that you allow to connect to your network.
3. Up Your Security Controls
Consider backing information up to the cloud in case you're attacked. Make it company policy that all data is encrypted, especially when moving between your network, the cloud, and individual devices.
Make sure that you have the latest anti-virus software and that your firewall drivers are up to date.
Password management is often weak within companies so you should take control of that. Easy-to-guess passwords make it easy to get into your system.
4. Build Your Human Firewall
According to an IBM study, 95% of all successful cyberattacks are the result of human error. While building up your technical firewall is important, training your people on information security risk will deliver substantially more gains.
Educate your employees on what they need to do if they get a call or email that doesn’t feel right. Set up social media policies stating what information employees are allowed to post online. That’s because many phishing attacks use details people have posted about themselves on social media to trick victims.
Make sure all remote employees connecting to the office, particularly from a public place, do so via a VPN.
Why you need an incident response team
If the worst does happen, you need a remediation strategy to mitigate the potential impacts of a successful system or data breach.
Remediation is the process by which you get back control of your data and IT systems so that you can safely resume normal business activities.
Depending on your IT team setup, you may need to include third-party contractors on your remediation team. Team members should include:
- An incident manager: They lead the overall response, generally working closest with the heads of departments most affected by the breach and the technical lead.
- A technical lead: They investigate how hackers got in so that they can identify, repair, and secure the affected systems.
- HR representative: You should involve them if your employees have been affected in some way by the attack. This is particularly important if you think an internal bad actor may be responsible.
- Legal representative: Depending on what data has been lost, your legal representative will need to stay in communication with the incident manager and, if necessary, a regulator.
- PR/Marcoms: No matter the size of your business, you need someone to be able to explain your side of the story to customers, employees, other stakeholders, and, if necessary, the media.
- Incident coordinator: The coordinator records all the steps you take during the remediation exercise in case this is needed later in a legal defense.
Cybersecurity risk management plan FAQs
Below, find the most frequently asked questions about cybersecurity risk management from the viewpoints of CISOs, CTOs, and compliance managers.
What Are the Main Cybersecurity Frameworks?
Your cybersecurity risk management framework must reflect your business’s particular needs and vulnerabilities. You could take inspiration, however, from one of the five established frameworks.
DOD RMF
The Department of Defense (DOD) Risk Management Framework (RMF) governs how DOD-connected agencies and organizations assess and manage risks associated with cybersecurity. This approach splits the process into the following six steps: categorization, selection, implementation, assessment, authorization, and continuous monitoring.
FAIR
The Factor Analysis of Information Risk (FAIR) framework is a three-step approach that aims to understand, measure, and analyze information risks when an organization is creating best practice guidelines on cybersecurity.
ISO 27001
One of the most established frameworks, the ISO/IEC 27001 is a set of standards for managing risk that organizations must achieve to be certified as secure. The ISO/IEC 31000 standard is designed for enterprise risk management.
NIST CSF
The NIST cybersecurity framework, published by the National Institute of Standards and Technology, uses these five steps: identification, protection, detection, response, and recovery.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) are 12 requirements your business or organization must adhere to so that you have a safe cardholder data environment.
What Are the 5 C’s of Cybersecurity?
The five C’s of cybersecurity are:
- Consent: You must have informed consent from users whose data you collect, store and use on your IT systems.
- Clarity: You must be clear and transparent with users on what data you collect, how you use it, and who you share it with.
- Consistency: You must make sure that the way you use data is consistent and predictable so that users can make informed choices about their data.
- Control (and transparency): You must hand control over to users when it comes to their data.
- Consequences (and harm): You must think about what consequences and harm users might have to deal with from the way you collect and use their data.
What Is the Difference Between Inherent and Residual Risk?
Inherent risk is the risk of sensitive data loss if you don’t have controls in place to prevent it. Residual risk describes what potential risks still remain after you put controls in place.
What Is the Difference Between a Risk and a Vulnerability?
A vulnerability is a weakness in your data security posture that makes your company vulnerable to cyberattacks. The risk is the potential legal, financial, or reputational damage to your business or organization to these security threats.
Develop a Cybersecurity Risk Management Plan for Your Business
Now that companies can automate everything from customer services to procurement compliance, they’ve become more responsive and efficient than ever. However, this heavy reliance on connected technology has made every organization far more vulnerable to cyberattacks.
In this article, we set out how to defend yourself against cybercriminals and how to respond if a hacker gets into your systems. We explain:
- What cybersecurity risk management is
- What’s at risk if you fall victim to a successful cyberattack
- How to create an effective cybersecurity risk mitigation strategy for your company
- Why you need a security team to help your business respond if your IT systems are breached
- The most frequently asked questions on cybersecurity risk management
What Is Cybersecurity Risk Management?
Cybersecurity risk management describes the approach taken by a business or organization to defend itself against data breaches and losing control of its IT network.
Public and private sector organizations that don’t have a cybersecurity risk management program are vulnerable. They risk having their critical infrastructure and information systems fatally compromised by hackers.
Without active cybersecurity risk management procedures in place, you’re at heightened risk of:
- Loss or theft of sensitive data: You can lose access to and control over vital business information like your commercial secrets, intellectual property, customer database, and financial information.
- Being shut out of your IT network: You may not be able to access your apps, website, and other technical systems for a prolonged period of time, stopping you from doing business.
Who Are You at Risk From?
The two main threat vectors you need to be concerned about are:
- Cybercriminals: Worldwide, cyberattackers caused estimated losses of $10.3 billion in 2022. They are motivated criminals who are always adapting their techniques and tactics to maximize their chances of success.
- People you know: Human error is why cyberattacks succeed. Most of the time, your employees do things (or don’t do things) that make you vulnerable. And sometimes, that gives a big-enough window for a hacker to get in. You also may be vulnerable to an internal bad actor, like a disgruntled employee or ex-employee, whose access rights have not been revoked yet.
What Are the Threats?
A robust cybersecurity risk management strategy is your business’s front-line defense against a variety of threats. Here are just a handful of the cybersecurity threats and cybercrimes you need to prepare for.
Malware
Malware is software that’s specifically designed to compromise or damage IT systems. Hackers often hide them in email attachments, and malware gets onto your network when employees open these attachments. Examples of malware include:
- Keystroke loggers: They track and send back the keys a user presses to give cybercriminals clues on what people’s usernames and passwords are.
- Cryptocurrency mining software: They perform complex, processor-intensive calculations to mine Bitcoin and other cryptocurrencies. This can make your IT system grind to a halt or, in the worst cases, cause them to permanently malfunction.
- Malware download enablers: They create backdoors through which further unwanted malware can be downloaded without your knowledge.
Phishing Attacks
Phishing is when cybercriminals use email, phone, and text messaging to try to trick employees into sharing private information, like usernames and passwords, to get access to your company’s Wi-Fi network, online supplier accounts, and online banking logins.
Ransomware
In a ransomware attack, hackers freeze your computer system and/or block access to your company’s sensitive data. They hold them hostage until you pay them a ransom. However, even if you do pay up, there’s no guarantee that they will follow through on their word.
Identity Theft
Cybercriminals hijack your credentials to change your business details at banks, credit unions, and other financial institutions. They do this to take out loans without your knowledge. Cybercriminals may also use your employee and customer information to carry out identity fraud against them.
DDoS Attacks
Distributed Denial of Service (DDoS) attacks overwhelm your website or IT network with sometimes millions of simultaneous requests for information. Too many requests and your system will slow down or crash. DDoS attacks can cost millions to businesses that rely on online sales or remote communication.
Internet of Things (IoT) Attacks
Often, connected devices like printers, door access panels, and security systems don’t have the same high level of protection as other network equipment like Wi-Fi routers. This provides hackers with an easier way to break into your IT system.
Man-in-the-Middle Attacks
Cybercriminals often create spoof Wi-Fi connections in public places. They do this to trick people to log on to it so that they can eavesdrop on other people’s browsing.
What Are the Risks of Getting It Wrong?
If your IT system and information security are compromised by cybercriminals, you may be subject to the following:
- Financial loss: You may lose money from theft and fraud. Plus, you won’t be able to do business while your systems are down.
- Reputational loss: You’re likely to lose customers who don’t trust you to keep their data safe.
- Legal costs: You may be liable for state fines depending on your location. In addition, affected customers and stakeholders who have suffered a loss may bring a class-action lawsuit against you.
- Remedial costs: Depending on the level of damage, you may have to pay out a lot to developers and system experts to return your systems back to normal.
4 Steps to Build Your Own Cybersecurity Program
Take the following four steps to build a customized strategy for managing cyber risk to protect your business or organization.
1. Decide What’s Important to Your Business
Make an inventory of all the data your business holds and delete the information that you no longer need.
You then need to decide how much access individual employees have to the data. For example, your reception team won’t need to see as much customer data as someone in sales or customer support.
The more you restrict access to information internally, the harder it is for hackers to get at it during an attack.
2. Run a Risk Analysis on Your IT Systems
Check that all the software and apps on your systems are up-to-date with the latest patches and that employees still actually use them.
Employees can compromise your IT security if your terminals allow the use of devices like CD-ROMs and memory sticks. They may accidentally upload viruses to your system from these devices or intentionally download valuable data without you knowing.
Likewise, “bring your own device” (BYOD) policies add extra vulnerabilities. For example, if an employee loses a tablet that logs in to your system automatically, the person who finds it now will be able to do the same. You might also want to make a list of all devices that you allow to connect to your network.
3. Up Your Security Controls
Consider backing information up to the cloud in case you're attacked. Make it company policy that all data is encrypted, especially when moving between your network, the cloud, and individual devices.
Make sure that you have the latest anti-virus software and that your firewall drivers are up to date.
Password management is often weak within companies so you should take control of that. Easy-to-guess passwords make it easy to get into your system.
4. Build Your Human Firewall
According to an IBM study, 95% of all successful cyberattacks are the result of human error. While building up your technical firewall is important, training your people on information security risk will deliver substantially more gains.
Educate your employees on what they need to do if they get a call or email that doesn’t feel right. Set up social media policies stating what information employees are allowed to post online. That’s because many phishing attacks use details people have posted about themselves on social media to trick victims.
Make sure all remote employees connecting to the office, particularly from a public place, do so via a VPN.
Why you need an incident response team
If the worst does happen, you need a remediation strategy to mitigate the potential impacts of a successful system or data breach.
Remediation is the process by which you get back control of your data and IT systems so that you can safely resume normal business activities.
Depending on your IT team setup, you may need to include third-party contractors on your remediation team. Team members should include:
- An incident manager: They lead the overall response, generally working closest with the heads of departments most affected by the breach and the technical lead.
- A technical lead: They investigate how hackers got in so that they can identify, repair, and secure the affected systems.
- HR representative: You should involve them if your employees have been affected in some way by the attack. This is particularly important if you think an internal bad actor may be responsible.
- Legal representative: Depending on what data has been lost, your legal representative will need to stay in communication with the incident manager and, if necessary, a regulator.
- PR/Marcoms: No matter the size of your business, you need someone to be able to explain your side of the story to customers, employees, other stakeholders, and, if necessary, the media.
- Incident coordinator: The coordinator records all the steps you take during the remediation exercise in case this is needed later in a legal defense.
Cybersecurity risk management plan FAQs
Below, find the most frequently asked questions about cybersecurity risk management from the viewpoints of CISOs, CTOs, and compliance managers.
What Are the Main Cybersecurity Frameworks?
Your cybersecurity risk management framework must reflect your business’s particular needs and vulnerabilities. You could take inspiration, however, from one of the five established frameworks.
DOD RMF
The Department of Defense (DOD) Risk Management Framework (RMF) governs how DOD-connected agencies and organizations assess and manage risks associated with cybersecurity. This approach splits the process into the following six steps: categorization, selection, implementation, assessment, authorization, and continuous monitoring.
FAIR
The Factor Analysis of Information Risk (FAIR) framework is a three-step approach that aims to understand, measure, and analyze information risks when an organization is creating best practice guidelines on cybersecurity.
ISO 27001
One of the most established frameworks, the ISO/IEC 27001 is a set of standards for managing risk that organizations must achieve to be certified as secure. The ISO/IEC 31000 standard is designed for enterprise risk management.
NIST CSF
The NIST cybersecurity framework, published by the National Institute of Standards and Technology, uses these five steps: identification, protection, detection, response, and recovery.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) are 12 requirements your business or organization must adhere to so that you have a safe cardholder data environment.
What Are the 5 C’s of Cybersecurity?
The five C’s of cybersecurity are:
- Consent: You must have informed consent from users whose data you collect, store and use on your IT systems.
- Clarity: You must be clear and transparent with users on what data you collect, how you use it, and who you share it with.
- Consistency: You must make sure that the way you use data is consistent and predictable so that users can make informed choices about their data.
- Control (and transparency): You must hand control over to users when it comes to their data.
- Consequences (and harm): You must think about what consequences and harm users might have to deal with from the way you collect and use their data.
What Is the Difference Between Inherent and Residual Risk?
Inherent risk is the risk of sensitive data loss if you don’t have controls in place to prevent it. Residual risk describes what potential risks still remain after you put controls in place.
What Is the Difference Between a Risk and a Vulnerability?
A vulnerability is a weakness in your data security posture that makes your company vulnerable to cyberattacks. The risk is the potential legal, financial, or reputational damage to your business or organization to these security threats.
Handling Cybersecurity Risk Management Across Your Business
Certa offers clients full-spectrum third-party risk coverage across every domain, including infosec. You can benefit from deeper insights into suppliers' cybersecurity positions with our SecurityScorecard, CyberGRX and Mastercard RiskRecon integrations.
Talk with our experts today to discover how Certa can make your data safer at all levels of your supply chain.
