Be proactive: 3 risk management steps to take before a cyberattack

Risk management is more than recovery from a cyberattack. Learn how risk management can help your company discover gaps in security, as well as how to handle the fallout from a cybersecurity event.

Financial risk assessment / portfolio risk management and protection concept : Businessman holds a white umbrella, protects a dollar bag on basic balance scale, defends money from being cheat or fraud

Image: William_Potter, Getty Images/iStockphoto

Pundits are pushing risk management as the way to go when it comes to maintaining cybersecurity. At first glance, that might be construed as giving up on current technology, but that's not the whole picture. 

Risk management is a way to have everything humanly possible in place to lessen the fallout from a cybersecurity event, and that is a good thing. Another equally important function of risk management is that it can be considered a proactive methodology used to identify risks in an organization's cybersecurity framework. 

Business owners and managers have very different mindsets than cybercriminals. Sufficient margins and cutting costs fill leaders' days. Cybercriminals are much more focused--they're simply looking for ways to make money illegally, whether by stealing lucrative data and selling it, or extorting ransom money from a business by encrypting important digital files. When neither party considers the other, bad things usually happen.

SEE: Checklist: Security Risk Assessment (TechRepublic Premium)

The EconoTimes article "Using Risk Management to Identify Gaps in Cybersecurity" defines risk management as a proactive mindset intent on making it more difficult for cybercriminals:

"Risk assessment allows the security team to identify threats and risks. This enables them to close any gaps and give proper security to sensitive data. The evaluation also addresses compliance and regulatory requirements for PCI DSS as well as HIPAA."

Automated scanning software

Most companies are running lean financially and having a third-party vendor perform a risk-management assessment is expensive and limited in scope, according to the article. The article's author suggests: "Companies may choose to perform risk assessments internally. SaaS platforms have made this possible by offering automated testing, reports, and monitoring. One of the best approaches to risk management is the use of automated-scanning software."

This type of software offers the following:

  • Scanning tools able to detect risk in the company's network, hardware, and databases;

  • breach- and attack-simulation tools; and

  • vulnerability-assessment platforms.

From the article: "The tools will then report the issues discovered and offer suggestions on how to combat them." The author added that when choosing a risk-assessment tool, it is important to consider how often the tool is updated, how easy it is to act on the results, and how well the tool interacts with other cybersecurity tools.

SEE: Identity theft protection policy (TechRepublic Premium)

All departments should be involved

The only way risk assessment is going to work is if all departments are involved, as well as key management players. 

"Although this process can be time-consuming, do not skip it," the author of the EconoTimes article wrote, adding that particular attention should be paid to departments dealing directly with consumer and company data. 

The whole point of this type of risk management is to proactively identify cybersecurity risks and remove the risk if possible; if that's not possible, develop responses that will reduce the impact if a cyberattack does occur. On how to accomplish this, here are tips from the EconoTimes article.

Develop a culture: Businesses are not in the habit of thinking cyber-securely, and that has to change, she said. In particular, all employees must buy into an organization's security culture.

Educate employees: The article's author says cybersecurity is not just the responsibility of the IT department: All personnel need to recognize when an attack is occurring and know their roles in mitigating the damage. The author takes it a step further and believes it is vital that every employee understand that a serious cyberattack could mean loss of employment if the company has to close its doors. From the EconoTimes article: "Communicate your plans on risk mitigation to all stakeholders, and keep them involved."

Create a cybersecurity framework: The National Institute of Standards and Testing (NIST) describes a cybersecurity framework as, "Voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications among both internal and external organizational stakeholders."

The author's article states the right cybersecurity framework is important. From the article: "Your standards will dictate the right framework. Most companies adopt PCC DSS, CIS Critical Security Controls, and ISO 27001/27002."

As part of that framework, each company should create a risk-assessment matrix, including quantitative and qualitative risk reviews. "The assessment should give you a detailed analysis and highlight the risks likely to occur," says the EconoTimes article's author, who suggests internal as well as external stakeholders be involved in the reviews.

Mitigate cybersecurity risks

The EconoTimes article makes a good argument that risk management is more than how to recover from a cybersecurity event--it's also a way to proactively reduce the risk of becoming a cyber victim. The more you know about your company's risks, the more likely you are to mitigate them. 

Also see