10 Considerations for Cyber Security Risk Management

By Michelle Wu

Posted on Aug 19, 2019

Risk management is the process of identifying potential risks, assessing the impact of those risks, and planning how to respond if the risks become reality. It is important for every organization, no matter the size or industry, to develop a cyber security risk management plan

It is important, however, to know that not all risks, even if identified in advance, can be eliminated. But even in those case, you can reduce the potential impact. Here are 10 items to consider when planning your organization's cyber security risk management. 

1. Build a company culture

The first thing to consider when you are planning your organization's cyber security risk management program is your company's culture. The average cost of a cyberattack now exceeds $1.1 million, and further, 37% of companies attacked see a diminution of their reputation following the attack. This is why you need to establish a cyber security-focused culture throughout the entire organization, from the part-time staff up to the executive suite. 

2. Distribute responsibility 

The burden for maintaining cyber security cannot rest exclusively on the IT or security departments. Every employee in the organization needs to be aware of potential risks and be responsible for preventing security breaches. Your security plans have to take into account not just your hardware and software, but also human factors. According to Verizon's 2018 Data Breach Investigations Report, 93% of all data breaches are caused by phishing.

To guard against these human-related intrusions, employees need the right tools and training to recognize malware, phishing emails, and other social engineering attacks. This is part and parcel of developing an organizational culture of security

3. Train employees

To implement your cyber security plan, you need to fully train staff at all levels on the identified risks and on the procedures and systems designed to mitigate those risks. Employee training is necessary to spread and encourage a security-aware culture as well as to ensure all employees know how to use the cyber security systems and tools you plan to implement.

4. Share information

Putting cyber security in a silo will result in failure. Information about cyber security risks must be shared across all departments and at all levels. What you're doing related to cyber security must be communicated to all the appropriate stakeholders, especially those involved in your company's decision-making. You need to make it clear to all appropriate parties the potential business impact of relevant cyber risks—and then keep them aware and involved in ongoing activities. 

5. Implement a cyber security framework

It is important to implement the appropriate cyber security framework for your company. This is typically dictated by the standards adopted by your industry. In this regard, the most frequently adopted cyber security frameworks are:

  • PCC DSS 
  • ISO 27001/27002 
  • CIS Critical Security Controls 
  • NIST Framework for Improving Critical Infrastructure Security 

6. Prioritize cyber security risks

Remember, you do not have an infinite number of staff or an unlimited budget. Put simply, you cannot protect against all possible cyber risks. Consequently, you need to prioritize risks in terms of both probability and the level of impact, and then prioritize your security preparations accordingly. 

7. Encourage diverse views

Too often cyber security staff and management view risks from a single viewpoint, often based on personal experience or company history. But cyber criminals seldom share this same viewpoint; malicious actors are more likely to think "outside the box" and identify weak points in your system that you haven't seen before or even considered. For this reason, it's useful to encourage team members to think of and argue different points of view. This sort of diversity in thinking will help you identify more risks and more possible solutions. 

8. Emphasize speed

When a security breach or cyberattack occurs, an immediate response is required. The longer it takes to address the threat, the more damage may be done. Studies show that 56% of IT managers take more than 60 minutes to get information about an ongoing cyberattack. But a lot of damage can be done in an hour. 

Speedy reaction must be a part of your security-forward culture. That means you need to develop an early recognition of the potential risks, an immediate identification of the attacks and breaches, and a rapid response to security incidents. When it comes to risk containment, speed is of the essence.

9. Develop a risk assessment process

Risk assessment is an important part of any cyber security risk management plan. You need to: 

  • Identify all your company's digital assets, including all stored data and intellectual property
  • Identify all potential cyber threats, both external (hacking, attacks, ransomware, etc.) and internal (accidental file deletion, data theft, malicious current or former employees, etc.)
  • Identify the impact (financial and otherwise) if any of your assets were to be stolen or damaged
  • Rank the likelihood of each potential risk occurring.

10. Incident response plan

Finally, you need to develop an incident response plan, focusing on the priority of risks you've previously identified. You need to know what you need to do when a threat is detected—and who needs to do it. This plan should be codified so that even if an incident occurs after you've personally left the company, the team currently in place will have a roadmap for how to respond.

Analyze your company's cyber risks

Managing your organization's cyber security is a constant challenge, as new and ever more sophisticated cyberattacks emerge on an almost daily basis. Many CISOs and security teams turn to SecurityScorecard for help in identifying and mitigating their company's cyber security risk. 

SecurityScorecard instantly finds weaknesses and complicated threats to help protect your business, as well as adds extra security with eyes on the exterior areas of your business. You’ll get the inside view of what a hacker sees so that you can prevent attacks before they can happen.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!