Risk awareness and risk management are crucial to safeguarding an organization’s assets from cyber attack, according to conventional wisdom. But how effective are these strategies if businesses are now told it’s not a matter of if, but when, disaster strikes?
This “when, not if” theme arises again and again in modern cyber security discourse – suggesting falling victim to cyber crime is an inevitability. Being targeted, and cyber criminals successfully pulling an attack off, are two different things, though. Risk management and risk awareness are both concepts designed to make life as difficult as possible for an attacker.
By an entire business engaging in the process of identifying and evaluating potential threats, they can offer organizations a certain base level of protection. While many might question whether these efforts – from not just the security teams – are worth the bother if an attack is ‘inevitable, they might keep organizations just on the right side of a serious incident.
Building risk appetite
Risk awareness and risk management are different things, explains EY’s UK&I government and public sector cyber security lead, Rick Hemsley.
“Whereas risk awareness refers to the proactive measures taken by organizations to educate their employees and stakeholders about potential cyber security risks,” he says, “[risk] management centers around the identification, assessment, and mitigation of potential risks to a company.”
Within these two definitions lie many distinct actions and activities: some technical and some cultural. Among the most important is defining the organization’s risk appetite, ensuring this is understood across the organization, and making sure mitigations are in place that respond to risk appetite.
Risk appetite is a fundamental element of risk awareness and risk management. You can’t protect against everything. A person leaving their home in the morning might get their pocketbook stolen or there might be a water leak while they’re away. They can insure against loss of credit cards and water damage. But only if they’ve assessed the possibility, and put in place a mitigating strategy. They’ll do neither if they don’t think the risks are worth addressing – which is where risk appetite factors in.
Risk awareness is essential
Risk awareness is arguably the most crucial aspect, says David Adams, Grc security consultant at Prism Infosec. “Risk management won’t be effective if risk awareness is not included as a strategy.”
Staff entrusted with implementing controls will only live up to expectations if they understand why it’s important to the organization and aware of the risks of not acting. But risk awareness isn’t just something for the tech team to consider. It must be embedded in the thought patterns and working practices across the organization.
“The risk management strategy may well advise that personnel only work on encrypted personal applications, and in the risk awareness strategy this would be regularly communicated to staff but made relevant to them, perhaps in the form of awareness training,” explains Adams.
Can we measure how effective risk management is?
One of the issues around promoting risk awareness through an organization is it’s not always easy to measure. A risk management strategy of, say, using threat analysis to identify attempted cyber attacks, and showing which attacks are thwarted, can generate data used to demonstrate how effective these systems are and justify spending on them.
It’s more difficult to measure the effectiveness of risk awareness in this way. An organization can, howeer, test how well its people understand the various risks it’s identified, and measure how they implement approved behaviors. It can ealso nsure that strong systems are in place, for example by implementing a zero trust framework for technology.
Frequent and overt testing, as well as measuring people’s attitudes towards risk, can itself alienate staff, as can putting in place technology requirements that feel intrusive to actually getting work done.
The goal should be to guard the organization, not to corral its people. And, in any case, we can’t compare two real-world scenarios – with and without a strong risk awareness strategy in place – to quantify the effect of the strategy.
Does risk management make a difference?
What organizations can do is be aware of the risks humans bring. Last year, the World Economic Forum (WEF) said 95% of cyber security issues could be traced to human error.
Normalising appropriate behaviours can help an organization diminish the risk of human error by increasing awareness of the consequences of certain actions – or absence of certain actions.
The key is for the organization to ensure people feel part of the strategy, not that the strategy is foisted upon them. “A good risk awareness strategy helps create a security-conscious culture across the company, making it more resilient against attacks,” Hemsley tells ITPro.
Adams puts it another way: “Security is the responsibility of us all and people are now much more conscious of this fact. But when it comes to the individual, relevance is key. It’s vital to make the strategy meaningful to staff.”
In the end risk awareness is a key component of how an organization handles the risks its exposed to. When the organization’s people are aware of these risks, and understand how their individual actions can help – or hinder – the organization in facing up to the very real prospect of attacks, they can play a part in mitigation.
When cyber attacks are a matter of when, not if, every possible strategy and mitigation that helps an organization deal with its appetite for risk is a strategy worth having, regardless of how much effort it might take to implement.
See the original article here: ITPro