Posted on Dec 11, 2019
As your company embraces its digital transformation strategy, you’re increasing your reliance on cloud services providers (CSPs). With more vendors accessing your information, you increase the complexity of your information risk management program. A compromised vendor doesn’t even need to be a company with whom you do business. A fourth or fifth party service provider who experiences a data incident can leave your organization’s information vulnerable to malicious actors. Understanding information risk management and how to mitigate these risks can be the first step to protecting yourself and your customers.
Information risk is a calculation based on the likelihood that an unauthorized user will negatively impact the confidentiality, integrity, and availability of data that you collect, transmit, or store. More specifically, you need to review all data assets to ensure:
Information risk management, also called “information security risk management,” consists of the policies, procedures, and technologies that a company uses to mitigate threats from malicious actors and reduce information technology vulnerabilities that negatively impact data confidentiality, integrity, and availability.
Organizations engaging in an information risk management program need to locate information, assess information type, analyze risk, and establish a risk tolerance for each data asset.
Conceptually, identifying the locations where your data resides seems simple enough. Most organizations start with their databases or collaborative applications. However, as more companies embrace cloud-first or cloud-only strategies, data becomes more dispersed.
Organizations no longer solely store data in on-premises servers. Many now use serverless or other cloud-based storage locations such as shared drives. Additionally, many organizations collect data in new ways such as via customer facing web portals. New data transmission channels, such as email and messaging services, also change how organizations share information with internal and external stakeholders.
Cloud-based data collection, transmission, and storage locations pose a higher risk of theft because organizations often lack visibility into the effectiveness of their controls. Thus, server hardware in an on-premises location may be a lower risk than a cloud-based server. When engaging in an information risk assessment, you need to identify the myriad of locations and users who “touch” your information.
Not only do you need to know where your data resides, you need to know what data you collect. Not all types of data are created equally. Personally identifiable information (PII) includes data such as name, birth date, social security number, or even IP address. Since malicious actors often target PII because they can sell it on the Dark Web, the information is a high risk asset.
Meanwhile, you also store low risk information, such as marketing copy. If malicious actors obtain a copy of a blog post, for instance, they can’t sell that online.
Identifying the types of data your organization stores and aligning that to the locations where you store your information act as the basis for your risk analysis.
Now that you’ve reviewed all data assets and classified them, you need to analyze the risk. Each data asset type resides in a particular location. You need to determine how the risk each poses overlaps and impacts the potential for a malicious actor to attack. The best way to do this is to calculate:
Risk Level = Likelihood of a data breach X Financial impact of a data breach
For example, a low risk data asset, such as marketing copy, may be in a high risk location, such as a file-sharing tool. However, the financial impact to your company if a malicious actor steals the information is minimal. Thus, this might be categorized as a low or moderate risk.
Meanwhile, a high risk data asset, such as a consumer medical file, in a moderate risk location, such as a private cloud, would lead to a large financial impact. Thus, this would almost always be considered a high risk to your organization.
Setting your risk tolerance means deciding whether to accept, transfer, mitigate, or refuse the risk. An example of a control for transferring risk might be purchasing cyber risk liability insurance. An example of a control for mitigating risk might be to put a firewall in place to prevent access to the location where the data resides.
Mitigating controls, such as firewalls or encryption, act as roadblocks for malicious actors. However, even mitigating controls can fail.
Malicious actors never stop evolving their threat methodologies. As companies got better identifying and protecting against new ransomware strains, malicious actors responded by focusing more on cryptocurrency and phishing. In other words, today’s effective controls might be tomorrow’s weaknesses.
Continuously monitoring your IT environment can detect weaknesses, alert your to them, and help you prioritize your remediation activities.
For example, many organizations struggle with cloud resource configuration. News reports often mention “AWS S3” buckets. These public cloud storage locations are not inherently risky, but a failure to appropriately configure them leaves them open to the public, including attackers. Continuously monitoring your IT environment can help detect misconfigured databases and storage locations to better secure information.
Vendor risk mitigation also acts as an important part of your information risk management strategy. While you can control your vendors, you may not be able to assert the same contractual obligations against their vendors. As part of your holistic information risk management strategy, you need visibility into the cybersecurity posture across your ecosystem.
For example, if your vendor’s vendor uses a cloud database and stores data as plain text, then your information is at risk. Continuously monitoring your supply stream for encryption, a way to make the data unreadable even if an attacker accesses it, provides visibility into your ecosystem’s cyber health.
As data breaches command more new headlines, legislative bodies and industry standards organizations have released more stringent compliance requirements. Several new laws such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act require continuous monitoring as part of a compliance cybersecurity program.
To create a compliant information risk management program, you need to be monitoring and documenting your activities to provide assurance to internal and external auditors. As you continuously monitor your IT ecosystem, you need to prioritize remediation actions and document your activities, providing your auditors proof of governance.
SecurityScorecard’s security ratings platform provides continuous insight into the effectiveness of your information risk management program. Our platform collects publicly available information from across the internet and then correlates that information for insight into ten factors, including IP reputation, DNS health, web application security, network security, leaked credentials, hacker chatter, endpoint security, and patching cadence.
Using an easy-to-read A-F grading system, SecurityScorecard’s platform provides at-a-glance visibility into the organization’s holistic cybersecurity posture and drills down to the individual factors. These ratings help organizations view their strengths and their weaknesses so that they can prioritize their information risk management strategies.
SecurityScorecard also includes capabilities for third-party monitoring to help manage supply stream information risk more effectively. The platform incorporates portfolio creation so that you can review vendor risk by individual vendor, cohort, or industry. These capabilities alert you to potential risks so that you can communicate with vendor to better secure your information.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.