Cybersecurity is a real concern. More so because in the interests of staying competitive, businesses are becoming more digitized by the day.
It is because of such strides that businesses have started migrating from the notion of whether or not they will be hacked to preparing themselves in the event an attack does happen.
According to a cyber-security report by Telstra, about 59% of Asian businesses experienced a business halting penetration at least one time per month. With the advent of mobile technology, Internet of Things and wearables, securing a business behind a firewall is not enough anymore. With the implementation of new technologies such as artificial intelligence, hacking software is becoming more efficient in finding loopholes that can be exploited in systems. Cybercriminals are not looking to simply implement a Denial of Service attack and leave. Rather, they are interested in proprietary company secrets, vandalism, and even market manipulation. As such, every business must view cybersecurity threats as a problem for the whole company and not just the IT department. Companies must then find ways to prioritize cyber threats and contain them effectively with minimal impact on the business. To this end, here are steps a business can take to secure itself properly.
Involving the stakeholders
As previously mentioned, businesses leave the cybersecurity issue to the IT department, yet it should be addressed by all the stakeholders. By engaging the various stakeholders in the process, we get a unique perspective, and things are less likely to be overlooked. A recent survey conducted by Info-Tech Research Group showed that where stakeholder participation was involved, cyber threat identification was 79% more likely to identify all threats as opposed to the organization which left all the work to the IT staff. Another report showed that organizations that involved the stakeholders in cyber risk assessment were 97% more successful than those who did not. The science could never be more conclusive.
Identifying the threats
When identifying the threats, you must take care of aspects such as the threat categories, threat events, and threat scenarios.
Threat categories
To deal with threats quickly and efficiently, they must be grouped in terms of major IT functions. Some of the categories these threats can be put in are;
- Operations risks
- Software risks
- Hardware risks
- Personnel risks
- Vendor risks
- Disaster and business continuity risks
- Data risks
Threat scenarios
After you have carefully identified the threat categories, we must then come up with various likely scenarios of how each can occur. We use these scenarios to understand better the risk involved and to also come up with an action plan to halt the attack with minimal damage to the organization. For instance, when dealing with data risks, possible scenarios can include data theft, data availability, data confidentiality and data integrity.
Threat events
Threat events usually refer to a particular vulnerability under a certain scenario. This helps the organization to make a plan in case a specific event does occur. The best example of threat events would be how an organization would react to a data integrity threat where data has been lost and there’s need for recovery.
Determining the boundaries of acceptable and unacceptable risk
A threshold must be set in an organization that will determine what an acceptable or unacceptable threat to the business is. This threshold should be a solid dollar value based on the ability of the company to absorb a certain loss and its tolerance to risk. For example, a company could set its threshold at $100000. As such, a cyber-threat that costs the business $100000 can be deemed as acceptable while those that surpass the $100000 mark are termed as unacceptable threat.
Create an assessment scale
To accurately assess the impact of a cyber-threat, you must assign a corresponding financial consequence. This will make it easier for senior management to be able to make smart decisions about the existing threats. For each threat, a financial impact scale must be assigned from low to extreme. For instance, a scale can be as follows:
- Losses of $10k to $35k are Scale 1
- Losses of $36k to $59k are Scale 2
- Losses of $60k to $99k are Scale 3
- Losses of $100k to $200k are Scale 4
- Losses of $200k and above are Scale 5
Project overruns should also be included in this financial impact assessment. For instance, a threat that runs for about 20 days with 8 employees working on it will cost the business about $300 a day with a total cost of about $48k. Such an assessment will land on Scale 2.
Make a probability scale
After the threat events have been accurately mapped out, the next step is making a probability scale that reflects on how probable a certain event would happen. The probability scale should have just as many levels as the financial impact scale. For instance,
- A probability of 1 to 19% will fall under Scale 1
- A probability of 20 to 39%will fall under Scale 2
- A probability of 40 to 59%will fall under Scale 3
- A probability of 60 to 79% will fall under Scale 4
- A probability of 80 to 99% will fall under Scale 5
Threat severity level assessment
For all the threat events, a severity level should be assigned. These threat severity levels help the organization regarding responding and reporting situational urgency. Threat severity is obtained from the multiplication of the financial impact cost by the probability of occurrence. For instance, a threat event that has a financial cost of $200k and has a probability of 10% generates a $25k threat severity level.
The proximity of the threat
Over time, the probability, financial impact of a threat change. The uniting factor between the severity of the threat and time is called the threat proximity. While some threat events are often unpredictable, there are those that remain constant. One such risk would be of losing key personnel that remains ever constant. The risk severity of a project overrun after staff layoffs shifts over particular points in time. To properly gauge the proximity of risk event, one is advised to focus on the high and extreme threats.
Threat proximity and severity are often confusing since they perform nearly similar functions. The threat proximity description tells senior management about how urgent a particular threat is and the importance of adequately getting a remedy. The threat severity, on the other hand, gives senior management an idea of the criticality or magnitude of each threat. Once these aspects are covered, an organization will never be caught unawares by a cyber-threat.