When a large company develops a cyber security strategy and plan, there are various approaches to take. Some enterprises opt for a compliance-based approach where they tick the boxes of government regulations, data protection and international conventions. While this may work for some companies, it leaves critical gaps in the strategy and implementation of cyber security. A risk-based approach is more suitable.
This is a systematic method that identifies, evaluates and prioritises the various cyber threats that the enterprise may face. It allows for a well-structured strategy that leaves no gaps and gives IT teams a better overview of their security posture. A risk-based approach will also ensure that the enterprise’s security needs are met and that all vulnerabilities are taken care of.
Three main steps to a risk-based approach
This is a phased approach that covers three main areas:
- Conduct a risk assessment
An in-depth risk assessment will enable the company to accurately identify the possible cyber threats and risks that it faces. Technical and non-technical factors should be considered, such as digital systems, networks, software, apps, data, hardware, assets and even employees. This is the first step in creating business continuity and disaster recovery plans too.
It is both a quantitative and qualitative process that will identify vulnerabilities in systems, as well as regulatory requirements to which the company will need to comply. Senior management will then be able to understand these risks and start to think about what software and security systems the company may need.
- Quantify the value potential of damage
Once the IT team knows what risks they may face, they can begin to assign potential monetary values to these risks. If the company network is hacked, what could this cost? If customer information and private data is leaked, what would the potential payout be? This process reveals how the company would be impacted financially if any cyber threat became a reality.
- Assess the likelihood of these threats
Lastly, company leaders need to evaluate the chances of each threat actually happening. IT teams can identify which cyber threats are currently on the rise and how many competitors or enterprises in the same industry have been affected by various attacks in the last year or two.
Once the leadership understands the likelihood of risks and threats, they can prioritise the most important ones first. Address the biggest risks immediately and then worry about the smaller ones afterwards. By now, IT teams should have a good understanding of what software, security apps and hardware are needed to minimise these risks.
Next steps for improved cyber security
Once the risk-based approach is complete, the job is not done. When the company’s security controls have been implemented, they need to be tested and monitored. This will guarantee that they are working as intended. IT teams can perform penetration tests, vulnerability management tests, business continuity exercises and compliance control tests.
This will ensure confidence in the strategy and prove whether the software and hardware are working effectively. Testing should be conducted periodically, depending on the likelihood of threats taking place. This could be once a month or once a year. IT teams should document these tests and the results thereof so that leadership can rest assured that regular testing was performed.
In addition, the risk assessment should be conducted at least once a year to see whether any new threats now pose a risk to the business. As new cybersecurity laws and regulations are passed, the enterprise will also remain compliant.
These security systems need to be monitored continuously too. Many solutions have autonomous monitoring and alerting, but the IT team still needs to maintain oversight. A risk-based approach will ensure that the initial steps are covered and that the foundations are solid, but the IT team must continue to watch over the steps put in place.
At 4C Group of Companies, we strive to effect operational changes and cost savings for customers through our iNSight product and associated services. This product’s main function is to re-purpose and deliver business-critical information to a variety of systems and stakeholders.
We specialise in information assurance, business assurance, FinTech solutions and a variety of business systems. For more insights into our products and services, check out our blog page or follow us on Facebook, LinkedIn and Twitter.