Contributed by: Ken Lynch, Reciprocity Labs. Reciprocity Labs aims to help companies with goals that are good for society, such as improving customer privacy or our environment.
These days companies strive for business intelligence. This comes in many forms, whether monitoring finances or understanding user journeys and engagement to improve the product and operations, the goal is to make the data actionable. For smaller companies this type of analysis may live in various spreadsheets, but as the business scales the need for more flexible systems to handle larger data sets becomes apparent. Infrastructural changes to accommodate this growth often result in a number of databases and APIs that house and serve data.
Switching gears to this more data-based decision making process increases the insight a business has on its operations, enables detailed reporting (tracking KPIs & SLAs), and allows for repetitive analysis via scripting or machine-learning to be performed without stressing human resources. The caveat of this step forward in insight to the business is the risk of having large sets of proprietary data compromised. This can happen numerous ways, whether through past employees with access to API keys or service accounts, malicious hackers or phishing, but all of this can be hedged by performing a cybersecurity risk assessment.
Step 1: Form a Risk Management Team
You might be a cybersecurity guru, but you are not supreme. It’s important that you form partnerships within the organization to give you better insight when it comes to the risk profile of the organization. Each department utilizes different platforms. You may know a thing or two about the platforms, but working with a team, allows you to easily communicate risk as well as ensure you achieve a holistic analysis.
At the minimum, your team should consist of:
- Manager for every business line to handle the entire data across the enterprise
- Senior management to prove oversight
- Chief information security officer to have a thorough review of the network’s architecture
- Human resource personnel to provide valuable insight into employee personally identifiable information
- Marketing experts to discuss all the data collected and stored
- Product manager to help ensure product security during the development cycle
The risk-based strategy begins with understanding business objectives and aligning them to your security goals. This calls for cross-functional input.
Step 2: Catalog Information Assets
The next step is ensuring that you catalog every information asset. It’s possible that you know how your organization operates, how it collects, transfers, and stores data. But you may have no idea about all the Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) that other departments utilize.
Moreover, other departments may not realize that their Saas providers are putting their information at risk, considering that such third-party vendors are usually a significant data breach risk. In light of this, you’ll need to ask some questions so that you can understand clearly the different types of data your organization collects, transmits, and stores and any locations involved. These questions include:
- What servers are responsible for receiving, transmitting and storing information?
- What type of information are departments collecting?
- Which databases are used to store information?
- What’s the reason for transmitting the collected information?
- What network is used to transmit the information?
- What’s the physical location of where the information is stored?
- Where are they getting the information from?
- Is there any remote employee accessing the information?
- How do remote employees access the information?
- What devices do employees use?
- What information is accessible to vendors?
- What authentication techniques are used for information access?
Step 3: Assess Risk
The type of information stored is usually different. No single piece is equal. Some information is more critical to an organization than the other. Likewise, not all providers are equally secure. The moment you identify your information assets, the next step is to review the risk that the vendors and actual information pose. As yourself the following questions:
- What software, networks, and systems are essential to the operations of your business?
- What kind of information needs to be confidential, available or maintain integrity?
- What personally identifiable information is collected, transmitted, and stored that requires to be anonymized should encryption fail?
- Are there devices that have the most risk of data loss?
- What’s the probability of data corruption?
- What software, networks, or systems are susceptible to a data breach?
- What’s the level of reputation risks that would come as a result of a data breach?
- How about financial risk as a result of a data breach?
- What risk do your face in your business operation should there be a cybersecurity event?
- Is there a business continuity plan in place that will allow you to bring back your business quickly?
The process of risk assessment includes your information catalog, looking at every potential location that cybercriminals might be interested in. This means that you have to look at every detail of information, including your software, networks, systems, vendors, and devices that pose a risk. And that’s not all. You also have to analyze the impact a data breach could have on the reputation of your business, operations, continuity, and finances.
Step 4: Analyse Risk
Once you know the risks, it’s now time to analyze them. As with information, whereby not all information pieces need to be secured equally, the same case applies to risk. Some risks need to be attended to as an emergency, while others require a strategic way of approaching them. In simple words, no single risk is equal to the other. You need to keep in mind two factors. These are:
- The probability of a cybercriminal accessing your information
- The reputational, operational, and financial impact that a data breach can have on your business
By looking at the likelihood of information access and the effect it can have, you can now have a reasonable risk tolerance level. This means deciding on the next course of action – whether it’s to refuse, mitigate, transfer, or accept the risk.
Think of this example: a database with public information may have just a few controls to secure it, meaning it has a high risk or breach. If a cybercriminal access the information that’s available publicly, the impact would not be much. When it comes to the analysis, it’s possible that you will accept the risk because, even with high probability, there’s still a low impact.
Let’s now look at the other side of the coin. If you have customers’ financial information, the probability of a breach could be low, but if an event occurred, the impact would be high and devastating to your organization – bot reputational and financial. In this case, you will, therefore, consider transferring the risk by finding a provider to help you support your business goals.
Step 5: Define Security Controls
Once you identify the risks you are willing to accept, the next step is defining your security control. These include:
- Vendor risk management program
- Training your workforce
- Implementing multi-factor authentication
- Putting in place password protocols
- Configuring your firewall
- Installing anti-ransomware and anti-malware software
- Implementing in-transit and at-rest encryption
- Network segregation
These might seem like a short list of the controls you should consider, but each one of them gives you a good insight on setting controls. For instance, if you have a number of security controls that will protect your infrastructure adequately, then you will need to make sure that your third-party partners align with them as part of their risk management program.
Step 6: Observe and Assess Effectiveness
As cyber criminals continue to evolve their methodologies, audits that were considered the main review mechanism for IT security for ages have been rendered ineffective. Organizations have to step up and come up with a risk management program that continuously monitors the IT environment for any new threats. Your risk analysis process has to be flexible so that it can adequately adjust to new threats.
Enabling Risk Process
You can use a system that lets you define your priorities so that everyone understands what they are needed to do and when to do it. This helps you to review the outstanding tasks as well as the completed ones more quickly.
Good software will be able to assign tasks to various people in your organizations who are responsible for risk assessment, analysis, and mitigation. Its audit capabilities will also allow you to record remediation activities as proof that you were able to maintain data confidentiality, availability, and integrity as the law requires you.
This article is provided by Reciprocity Labs. Reciprocity Labs aims to help companies with goals that are good for society, such as improving customer privacy or our environment. Their mission: To turn corporate compliance from a cost center into a valuable strategic asset.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens.