How to Conduct Cybersecurity Risk Assessments for Enterprise Risk Management

Many factors determine how much organizations spend on cybersecurity. Some industries, such as healthcare and manufacturing, are favorite targets for cybercriminals and require more robust security. Financial services and payment systems have stringent compliance requirements that can increase cybersecurity spending. Whatever the industry, increasing costs for cybersecurity will continue to rise as long as there's cybercrime.

Size doesn't matter. According to Verizon, 43% of successful breaches occurred at smaller businesses. Whether an enterprise has less than 100 employees or more than 10,000, it is estimated that companies will spend 50% of their IT budget on security by 2020 for a total of over $150 million. Expenditures are expected to grow between 7% and 8% per year through 2026. For larger enterprises, cybersecurity costs could exceed $1 million per year.

Significant investments in cybersecurity should translate into fewer successful attacks, but that is not always the case. Companies often authorize spending without understanding the true risks. Before spending 50% of their IT budgets, organizations should conduct an enterprise-wide risk assessment to ensure they are doing all they can to mitigate risk.

What is Enterprise Risk Management?

The Committee of Sponsoring Organizations (COSO) defines enterprise risk management (ERM) as the culture, capabilities and practices integrated with strategy-setting and performance that organizations rely on to manage risk in creating, preserving, and realizing value. It involves:

  • Setting a business strategy for the enterprise
  • Identifying potential risks that will impact the enterprise
  • Defining processes to mitigate risk across the enterprise
  • Managing risk to achieve the business objectives of the enterprise

ERM is a layer of business planning that evaluates the potential risks that might impact the outcome of a business strategy.

What are the Benefits?

Being prepared for the unexpected is one of the best ways to protect a business's value. It is much easier to implement an existing plan than to create one in the middle of a crisis. That's one benefit of a properly conducted ERM. Other benefits include:

  • Identifying more opportunities by considering potential risks
  • Increasing positive outcomes while mitigating surprises
  • Enabling proactive instead of reactive responses to risk
  • Managing enterprise-wide risks
  • Maintaining consistent performance
  • Improving resource allocation
  • Communicating risk management

An ERM contributes to better decisions because it consolidates information related to strategies for easier consumption by decision-makers. Every aspect of the enterprise is evaluated to mitigate risk. One component of any ERM should be a Cybersecurity Risk Assessment. Without a careful analysis of an organization's technology footprint, an enterprise may fail to address a potential security risk.

What is Cybersecurity Risk Assessment?

By assessing cybersecurity risks, an enterprise can identify, prioritize, manage and mitigate the risks to its business value as a result of a cyberattack. A cybersecurity assessment informs decision-makers of potential risks and identifies responses that can minimize the consequences of a security breach. But, this is not the only benefit a cybersecurity risk assessment provides.

What are the Benefits?

As the dependency on technology grows, so does the risk. When a company's technology consisted of a few desktop computers cabled together to form a local area network, the risk of a breach was relatively low. Today, businesses have multiple devices, including phones, tablets or sensors connected to a network that exchanges information with the cloud over an internet connection. Each device on the system represents a possible access point, and communicating over a public network such as the internet poses a myriad of risks. Here are just a few of the benefits of a cybersecurity risk assessment.

  • Reduce costs. Identifying vulnerabilities enables an organization to mitigate risks reducing the costs associated with a security incident or data breach.
  • Establish a process. Assessments must be ongoing. Creating a template for risk assessments means less time is required to perform subsequent assessments.
  • Understand risk. A thorough assessment helps decision-makers understand the risk associated with enterprise-wide technologies.
  • Mitigate security incidents. Knowing where cyberattacks are most likely to occur means strengthening those areas before an attack.
  • Minimize regulatory issues. Assessment can ensure compliance with applicable regulatory guidelines such as HIPAA, PCI DSS, or the EU's GDPR.
  • Limit downtime. Identifying mission-critical applications for evaluation can reduce possible downtime for internal and external users.
  • Protect Assets. Enterprises have information assets such as intellectual property, research or patents that need protection from loss.

These are just some ways a cybersecurity risk assessment can support the more extensive enterprise-wide risk assessment.

Where to Begin?

Cybersecurity risk assessments should not occur in a vacuum. They need to address how the assessment relates to the ERM in terms of business strategies. Here are the main steps for conducting a risk assessment.

  1. Characterize system boundaries, criticality and sensitivity based on: Hardware – Software – Interfaces and integrations – People – Mission – System and data criticality – System and data sensitivity
  2. Gap assessment: Identify vulnerabilities to organizational systems based on: Industry standards (NIST, ISO, CIS) – Security violations – External intel
  3. Identify current controls: Done in practice – Formalized and repeatable – Non-existent
  4. Risk Analysis: Determine the overall likelihood that a vulnerability will be exploited, based on: Threat-source motivation and capability – Existence and effectiveness of controls – All other factors
  5. Determine the impact if an event occurs: Financial – Operational – Reputational
  6. Control recommendations: Recommend controls to reduce risk to an acceptable level, based on the following items. Cost-benefit analysis – Feasibility – Legislation and regulation – Organizational policy – Operational impact – Safety and reliability
  7. Produce a management-level report that helps senior leadership make decisions on budget, process and control recommendations.
  8. Mitigate risks: Companies can use the assessment as a guide for mitigating priority risks and for monitoring its effectiveness.
  9. Re-assess risk: Risks change. That's why a risk assessment is a process for monitoring and re-evaluating risks on a consistent basis to ensure that an enterprise is protected.

Conducting a cybersecurity risk assessment as part of an enterprise risk management effort is essential to the long-term viability of an organization. It is a way to ensure you are doing enough of the right things in the right order to mitigate risk. Contact us to discuss how to start assessing your cybersecurity risks.

WEBINAR

DOS AND DON'TS: PERFORMING EFFECTIVE RISK MANAGEMENT

GreyCastle Security will cover the standards for risk assessment that work for almost all regulatory and compliance requirements.