In business, there are essentially infinite sources of risk:
and so on.
Of course, you are probably here because you are focused on cyber risk, which is one of the many you need to worry about. While we’ve talked a fair amount about it previously, in this post, we are going to focus on what to actually do about it.
At its core, whenever you’ve identified a cyber risk, you only have four options to address it: avoid, mitigate, transfer, and accept.
Staying on top of cyber risk – and figuring out how to balance it against other business challenges – is what separates the top performing organizations from those who get left behind. So having an effective program and toolset is key.
But in the end, you’ll only be able to pick from four possible actions:
Risk avoidance is the most effective, but most rarely used option. It means terminating a risky product, service, customer, contract, or even employee to eliminate cybersecurity vulnerabilities, regulatory concerns, or potential insider threats.
Many companies are reluctant to do this, however, because they fear losing revenue or incurring other associated costs. While it might seem counterintuitive, though, not all revenue is equally desirable.
Some customers or products may be outside your ideal market, require more resources to maintain, and push you off your development roadmap. Certain vendors may pose higher cybersecurity risks due to their architecture, use case, or compliance implications.
In some cases, the revenue from such sources may be less than the cost of addressing the risk in the first place.
This is when you might consider cutting the risk loose and avoiding it altogether.
It may be a tough decision, and one the business must drive. If an asset or contract owner disagrees with a recommendation to avoid a risk because of the non-cybersecurity implications, they should find another way to address it.
Risk mitigation is a common way to deal with risk and often the first one security teams focus on. It involves applying technical controls such as patches and firewalls as well as administrative ones like policies and procedures.
Some tips to remember when mitigating risks are:
- Use the cheapest control, all other things being equal. Some vulnerabilities can be patched easily and don’t require detailed analysis to fix. This can often be easier than implementing an intrusion detection system rule to detect attempted exploitations of them.
- Consider the whole risk picture when choosing controls. Conversely to the above scenario, a software flaw might be low risk if you can block it with a firewall rule. In that case, you might be able to avoid completely overhauling your product or rebuilding your network to fix it.
- Mitigate the most urgent risks first. A critical vulnerability like log4shell or heartbleed might require immediate action and attention. In that case, it’s best to focus on stopping the potential damage from this emerging issue and temporarily pause other risk mitigation efforts. Ensure your policies and procedures account for these crisis situations so that you aren’t trying to rewrite them on the fly in an emergency.
Risk transfer is a way of shifting the cost of a potential loss to another person or organization. It can be done by buying cyber insurance but also by other methods, such as:
- Negotiating contractual terms with a vendor. Service Level Agreements (SLA) that guarantee a certain level of data availability, confidentiality, or integrity represent a common way to implement this. If the vendor fails to meet the SLA, they have to pay you a penalty fee.
- Stipulating contractual terms with a customer. You can agree with your product’s users on a shared security model that clarifies who is responsible for what aspects of security. If the customer fails to meet their obligations, they agree to bear the consequences.
- Lobbying the government or the public. Finally, you can advocate for laws or policies that protect you from certain types of liability or litigation. If the government or the public agrees to support you, they absorb some of the risk.
Key pieces to remember when transferring risk are:
- Doing it explicitly and in writing. It will be very challenging to recover damages from a vendor if you only have informal agreements with them that aren’t clearly delineated.
- Conducting appropriate diligence to ensure that, if the worst happens, you will actually be compensated appropriately. Cyber insurance contracts are extremely complex and often have many exemptions. Don’t get surprised after a loss event when an insurer denies your claim due to a technicality.
- Ensuring the cost of the transfer (not just direct monetary costs but also legal fees and staff time) doesn’t outweigh the risk being addressed.
Risk acceptance means proceeding despite the possible harm. Although it seems scary, people and businesses accept risk all the time and must do so in order to get through the day.
A very dangerous version of risk acceptance, which is unfortunately far too common, is risk ignorance. Merely pretending a risk doesn’t exist or hoping it will never manifest can come back to bite you badly if it ultimately does.
To avoid this, a best practice is to ensure the risk owner documents acceptance in your risk register. And periodically reviews this decision to determine if circumstances have changed warranting a re-evaluation.
Combining the four methods of avoid, mitigate, transfer, or accept will allow you to manage your risk in the most cost-effective manner possible. Oftentimes situations will require deploying all four techniques against various aspects of a problem.
Having an effective way to track these efforts, assign stakeholders, and ensure follow-up of relevant tasks will be key to ensuring your program succeeds. In all but the most basic systems and organizations, email- and spreadsheet-driven processes will quickly become overwhelming.
So If you want to learn how Scrut Automation can help automate your risk management, please reach out today!