By Phil Robinson, Principal Security Consultant at Prism Infosec
The risks facing the business are the ways in which its data, resources and working practices could be adversely affected, impacting the ability for it to maintain normal operations. Manging risk allows the security team to dedicate sufficient resource to monitoring and mitigating these risks, where appropriate. However, a one size fits all approach does not work as there are many variables to consider, including the types of threat that the organisation may be exposed to and the type and severity of risk that a business may choose to tolerate. These factors will vary from one enterprise to another as well as across different sectors.
It’s for this reason that profiling and documenting risk as part of a cyber security strategy, should include five documents: a Business Continuity Plan covering cyber security, a critical asset register, documentation of the organisation’s IT estate and vulnerabilities, a risk register that covers cyber security, and documentation of the risk appetite. Yet the majority of UK businesses only have one of these in place according to the second wave of the UK government’s Cybersecurity Longitudinal Survey and even in very large businesses, only a quarter have all five.
Failing to formally record risk
Only 30% of organisations have any documentation in place outlining how much cyber risk they are willing to accept (their risk appetite) and only 50% of businesses maintain a risk register which details the cyber risks they are exposed to. Unable to effectively identify and evaluate risk, the danger is that these organisations won’t then focus their attention and investment on steps that should be taken to defend their critical assets and their associated priorities.
These results are noticeably at odds with the practical measures that businesses have taken to identify security risks. They show that 65% have conducted a risk assessment, 61% have used tools designed for security monitoring and exactly half have carried out a security vulnerability audit. This reveals a disconnect between the perceived value of documenting risk and deploying processes and controls.
The more recent Cyber Security Breaches Survey 2023 found less positive results with 51% of businesses actively identifying cyber security risks by monitoring, conducting audits and risk assessments, or technical tests on systems, networks and applications. Just over half of medium and large businesses had a cyber security strategy in place, with some being motivated to do so because of perceived reputational risk, although other drivers included pressure from management, audit recommendations, M&A activity or to align with privacy regulations.
The importance of risk in relation to policy
Controlling risk, as we’ve touched upon, will in some part come down to cyber security policy which identifies the processes and procedures that should be followed to ensure business continuity. But here, too, there was little evidence of formal documentation. The Breaches Survey found only 29% of businesses had formal policies for governing cyber security risks, although that rose to 63% of medium businesses and 79% of large businesses.
It’s interesting to note that the report also looked at what is covered in those security policies and that some risks, namely the use of personally owned devices, seem to have been quietly dropped – only 50% of businesses now detail the use of BYOD for business activities because it’s now such a mainstream practice. In reality, this should see a prioritisation of applying appropriate security controls to the use of personal devices. Top of the list of areas that are covered in security policies is how data is supposed to be handled and stored (77%), acceptable use on the IT devices belonging to the organisation (74%) and policies governing remote or mobile working (64%).
So, what needs to happen to encourage practical risk management and to translate that into effective documentation? A risk management framework such as the National Institute of Standards and Technology (NIST) can provide an excellent basis and has the added bonus of allowing the organisation to determine the level of cyber maturity reached. By drawing a line in the sand in this way, it then becomes possible to determine where improvements are needed and to document the progress which is invaluable in providing assurance to customers or partners as well as regulators and cyber insurance providers. There are also standards that incorporate risk assessment and management such as the ISO 27000 series, notably ISO 27004 which can assist organisations to evaluate the performance and effectiveness of an information security management system and ISO 27005 which describes how to implement an effective risk management approach.
Putting risk at the top of the agenda
With many businesses already doing the necessary practical legwork, it makes sense to derive the benefit from both initial risk identification and regular monitoring of it by documenting them, not just to satisfy management or meet compliance regulations, but as a means to an end in itself that recognises the importance of security within the culture of the business. For that to happen, we need more leadership from the top, with the board actively looking for this information to be available, certainly in an executive summary. As noted in the Longitudinal Survey, board level engagement remains low and we need leadership to push the importance of a cyber security strategy and its value to the business.
Just expecting this to happen organically is a mistake. The Breaches Survey found 29% of businesses reported taking no action after the most disruptive breach they had suffered over the past 12 months and only 13% then made changes to their governance processes, such as updates to policies or documentation. This is in spite of the fact that these breaches resulted in substantial impacts, such as monopolising staff time (23%), triggering the need to introduce new measures to prevent future attacks (21%) or stopping staff from working (11%) not to mention loss of revenue, customer complaints and reputational damage. For governance processes to improve, we will therefore need more effective governance and leadership from the very top.