Barry O’Donnell, Chief Operating Officer, TSG, looks at the need to prioritize evaluating risk levels in your cybersecurity business reports.
Cybersecurity is one of the most pressing issues for businesses; security professionals have identified it as the biggest risk to an organization. Cybersecurity risks come in many forms, but while companies need to protect against all threats, some are more urgent than others.
Prioritizing the levels of risk associated with cybersecurity incidents will help protect businesses from the most pressing threats first. For example, if you have an unsupported operating system (OS) on your PCs, they are very likely to get breached, whereas your up-to-date systems pose less risk- but how can the biggest risks be determined?
Identify potential cybersecurity risks.
The first step is to identify the overarching themes of the cybersecurity risks your business faces. We recommend doing this by listing the areas of your business that pose a risk. The main areas include software, hardware, data, vendor, and personnel risks. There is some crossover between these categories, but it’s essential to understand how they can each pose a threat to your business.
Your software could be responsible for compromising your business’ cybersecurity for a few reasons. The most common issue is outdated or unpatched systems, which are vulnerable to cyber-attacks. Software providers continually patch their systems to plug newly discovered security gaps, so it’s critical to apply those patches as quickly as possible. Modern cloud-based applications will automatically update, providing peace of mind.
In a similar vein, outdated hardware can pose a risk to the business. Outdated devices often aren’t compatible with security or software updates, meaning businesses are left with multiple vulnerabilities. Think about new phone releases; the physical technology improves, which allows for advancements in the phone’s functionalities. Outdated hardware works similarly but is particularly pertinent to security issues.
Now that GDPR is in force, businesses are required to safeguard any personally identifiable information (PII) they hold. All companies will hold some PII, whether on customers, employees, target customers, or a combination. Data risks cross over with software and hardware risks because, in the modern business world, this data is most likely stored on PCs and in business-critical systems.
One of the most pertinent risks associated with vendors is those who deal with a business’s sensitive data and how they do it. Many organizations use ERP and BMS systems to store its customer data and import it into an email marketing platform. Understanding providers’ policies and security measures will help to understand the risk associated with them holding data.
We all know hackers are targeting businesses with more force than ever. But what about your internal security threats? Human error accounts for as much as 95% of all cybersecurity breaches. So, while you need to put measures in place to keep cybercriminals out, you need to look beyond them. Your workforce represents the most significant attack surface in your business. It’s the frontline of your defense. So, if your people aren’t educated on cybersecurity risks, they could unknowingly compromise your business.
Identify potential threat categories.
Once the areas of a business likely to experience cybersecurity incidents have been identified, it’s time to look at the threat categories. This can include:
- Data theft (including phishing attacks or stealing data from your systems)
- Data destruction (including ransomware attacks which encrypt data)
- Backdoor attacks (for example, hackers gaining remote access to your systems)
- Accidental data loss (such as an employee losing a USB stick with sensitive data)
Threat categories can then be tied to the cybersecurity risk categories. For example, data theft can come under software, hardware, and personnel risks. Data destruction can relate to hardware and vendor risks because a provider could suffer a cyber-attack.
Identify threat scenarios
Finally, this information should be tied together to predict the threat scenarios likely to hit the business.
An example scenario would be if a company had 50% of PCs still operating on Windows 7. That’s a software risk because Microsoft is no longer providing updates for the outdated operating system. This leaves it vulnerable to hacker attacks. A hacker can penetrate this system via a backdoor attack and execute remote code, which spreads across the entire network of PCs. This is an immediate and pressing threat because hackers are already exploiting Windows 7 vulnerabilities, so companies should upgrade those PCs as a matter of urgency.
Similarly, there is a common problem with staff (personnel risk) clicking links in phishing emails (data theft). This problem is so widespread and should be addressed immediately. There are solutions to implement like simulated phishing attacks; these will send fake phishing emails to your staff which replicates common, successful spam emails. If staff members click on those links, they’re redirected to training resources.
How to prevent cybersecurity incidents
Carrying out a cybersecurity risk assessment and prioritizing certain areas based on their threat level is the first step in the process. The assessment should be used to determine the methods that will be put in place to bolster security, which can include:
- Modern anti-virus solutions
- Backup and disaster recovery tools
- Updated operating systems and software
- Modern hardware
- Staff training programs
If a business isn’t in the cybersecurity space, it should reach out to companies that are cybersecurity experts. These experts will recommend and implement the best solutions for the organization. Working with a trusted security partner ensures no critical areas which need to be protected are missed.