LATEST CYBER SECURITY NEWS AND VIEWS

Home > News > Why Failing to Document Risk is a Risky Strategy

Latest news

Why Failing to Document Risk is a Risky Strategy

Posted on

Phil Robinson Explores why Failing to document risk leaves businesses vulnerable to cyber threats and costly consequences.

Understanding risk and its potential impact can help the business prepare for and survive the realization of its worst fears. It’s a pre-emptive measure and can head off threats and provide a way to control those risks continuously. Yet, despite the advantages of documenting risk, a surprisingly small number of businesses are doing it.

According to the UK government’s Cybersecurity Longitudinal Survey, only 30% of businesses have any documentation in place outlining how much cyber risk they are willing to accept (their risk appetite), and only 50% of businesses maintain a risk register (that details the cyber risks they are exposed to). 

Consequently, these businesses are not managing their cyber security posture appropriately because, without identifying and evaluating risk, these organizations cannot effectively invest in and defend their critical assets. In fact, it’s such a concern that the cyber security risk assessment is one of the four areas highlighted for further monitoring in the third wave of the report being carried out this year.

Why Is This Happening?

Those businesses that do document risk do so to meet contractual obligations or the requirements of certifications such as ISO 27001 and tend to have board oversight of their cyber security risk. It’s also a common requirement for those seeking cyber security insurance, of which 61% of businesses now have some form of, states the survey. It’s stipulated in compliance requirements associated with specific sectors, such as the Sarbanes-Oxley Act in US Finance or PCI DSS, to protect payment card data. 

Many may not document their risk because it can be daunting. Documentation is the final stage in the risk assessment process, preceded by scoping, identification, analysis, and evaluation. First, the business will need to decide where to focus the assessment. This is best approached by process or department to make it more manageable and to allow the necessary stakeholders to be involved. 

Once the scope has been decided, risks can be identified, and the likelihood of them being realized is assessed, followed by the potential impact and mitigation. But let’s look at each stage in turn.

Identifying risks may seem straightforward, but it’s not just a matter of inventorying data assets. Also under consideration are business-critical processes that, if subjected to attack, could prevent the business from functioning. Typical components subject to a risk assessment include hardware, software, data sets, services (including cloud / 3rd party services), personal information, business-critical information, and even staff members. Cyber threats and the tactics, techniques, and procedures used to execute them also need to be identified, and their possible outcomes and threat frameworks, such as MITRE ATT&CK, can help here.

Impact and Harm

The next stage is to estimate the likelihood of a risk being realized and its potential impact, i.e., the extent to which it can harm the business. Some use a “Red/Amber/Green” (RAG) system, making it more difficult to communicate risk to the board. It’s important to keep it simple and refer to the risk as low, minor, moderate, high, or severe and give a business context to the impact, such as loss of business/contract, loss of reputation, financial impact, or punitive measures/penalties rather than some obscure numerical value.

In managing risk, the organization should determine a threshold at which risks should be treated, known as the risk appetite. All organizations must take some risks. Otherwise, it would be too difficult to pursue the business objectives. However, the risk appetite for an organization can vary based upon factors such as the industry it operates in and company culture. For those risks that have been identified that exceed the organization’s risk appetite, they should be treated (for example, by applying further controls, changing practices to avoid the risk, or transferring the risk to a third party such as an insurer) such that any remaining residual risk is then at or below the acceptable level. 

All of these elements are then documented in a risk register, which should be reviewed regularly, as well as when disruptive events happen, be that the installation of new technology, a change in the direction of the business, or following a security incident. In this respect, the risk register should be considered a living document. Ownership of risk decisions must also be documented and again reviewed when such events occur in case there is a change to the designated person with responsibility.

Making the Process Easier

Because of the methodical stages involved, risk assessment lends itself well to a framework approach. Established risk methodologies include ISO 27005:2011, Information Security Forum (ISF) IRAM2, NIST (SP800-30), Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), Octave Allegro, and ISACA COBIT 5 for risk. These can make it easier, but many businesses outsource risk assessment to a third party. Regardless of which is chosen, however, the assessment should always be tailored to the business to ensure it is both relevant and effective.

As onerous as the process may seem, failing to assess, manage, and document risk, as 70% of the businesses in the Longitudinal survey seem to have done, can prove costly in the long term. These businesses are much more exposed because they do not know and understand the risks they face, have made no effort to reduce the risk through controls, and have made no contingency plans in case of a compromise. 

The survey found that 74% of businesses were subjected to a cyber attack during the 12 months before June 2022, with 84% suffering repeat attacks. Almost a quarter (22%) were adversely impacted, losing access to data or services, having accounts compromised, or software, systems, or devices corrupted or damaged. In contrast, a third had to invest in new security controls, and the same number had to devote resources to dealing with such incidents. 

That’s proof, if any were needed, that neglecting to document risk can prove costly in the long run. But documenting risk is also valuable in another respect in that it gives the business oversight and more control over its operations. Having that knowledge can then bring about a better cultural understanding of cybersecurity throughout the business and help inform business decisions so that the process not only helps prevent harm but also helps guide future activity.

This article was originally published on Spiceworks

FILTER RESULTS

Latest tweets

A great conference @BSidesLondon, thanks for having us at #BSidesLDN2024! Looking forward to continuing the relationship next year!

Prism Infosec is proud to be a gold sponsor of @BSidesLondon 2024! Come and visit us on our stand and join in our cyber scavenger hunt! #CyberSecurity #bsides

Sign up to our newsletter

  • Fields marked with an * are mandatory

  • This field is for validation purposes and should be left unchanged.