Cyber risk management. Identifying the main threats to your company
- When conducting cyber risk assessments, it is very difficult to account for all threats. It is more important to focus on those that can have the most critical impact on core business processes. This requires looking at potential negative scenarios through the lens of impact on the business.
- A business impact analysis can help reduce severalfold the risks for a company to address in order to maintain cyber resilience.
- We have developed and tested a combined approach to risk management. It allows you to analyze business resilience at the highest level, look deeper into your processes, and address specific vulnerabilities that could harm your company.
Imagine you have a stack of documents in front of you: business agreements, company orders, internal memos. Your time to process them is limited, therefore it makes sense to start with those tasks where any delay could disrupt crucial business processes. For example, without a signed agreement with a courier agency, your customers will not get their orders when expected; if tender papers are not submitted on time, the company will miss out on a lucrative project, and so on. Less significant documents can wait.
The same principle can be applied to cyber risk management: focus on the scenarios that produce critical consequences and avoid wasting resources on tolerable situations, albeit at a cost.
A conventional approach to cyber risk assessment focuses on the threats that compromise the confidentiality, integrity, or availability of information: from exploitation of vulnerabilities to cybersecurity code violations. Such assessments show which systems are vulnerable to a particular type of cyberattack, for instance, DDoS or ransomware, and the results are compiled into a detailed report.
The report comes out being very bulky: a minimum of 3 threats are analyzed for each asset with 2–3 exploit scenarios per threat, using various vulnerabilities. A small company may have 2,000–7,000 unique cybersecurity risks that must be addressed. For a large enterprise or a factory with many production lines the figure is even higher, reaching tens of thousands.
The CEO of a company may not be too concerned with the technical issues. Instead, they need to understand the impact of cyberattacks on their business and estimate the possible financial losses.
These effects can be identified and described through a business impact analysis (BIA). As a result, the company receives a qualitative and quantitative assessment of the negative consequences for the business if a dangerous scenario occurs. It also helps clarify risks and gather data to make reasoned decisions.
Our own cyber risk management methodology builds on this idea. It is based on an iterative evaluation:
- Start from the top, using a BIA to determine the negative consequences for the company as a whole.
- Then proceed down to the key products and services—those that bring in the main profits. Determine the consequences of their continuity failures.
- Finally, move on to the business processes and assets that are directly connected to profit generation. This way, we focus on the risks that are critical to specific operations or resources.
Thus, we gradually narrow down the threats to the most dangerous vulnerabilities. This method helps to determine how particular risks can unfold and provides a clear and straightforward picture to further manage the issues.
Our approach combines several recognized standards, which we discuss next.
As our own experience shows, no single existing risk management standard can deal with the impact of negative events on the business. However, it is possible to combine the methods from several standards.
The main family of standards for risk management is ISO 31000
ISO 31000 promotes the iterative approach we discussed above: a gradual dive from the macro level to the lower levels, which is done to simplify risk analysis. This series includes the IEC 31010 standard
There is an ISO/IEC 27005 standard
- Can the company achieve its goals in spite of the incident?
- Would the incident cause damage to the environment and human health?
- What losses would the business incur—financial or reputational impact, loss of market share?
- Does the situation violate legal regulations or contractual obligations?
The situation changes if the BIA method is used in risk assessment, as described in one of the ISO/IEC 27005:2022 paragraphs.
A BIA allows you to examine the range of possible consequences in all business processes and assess which risks can be accepted and which need to be further explored in-depth. If the damage exceeds the critical indicators, the company will be able to deliberately allocate a budget to protect itself from losses.
Business impact analysis is outlined in ISO/TS 22317
A combined approach that incorporates all of these standards will allow the company to look at risk management from a different perspective and get a qualitatively different result.
- The volume of processed information is reduced manifold. The analysis includes only those threats that can cause significant damage to the business.
- It is easier to manage process continuity. The company can select measures to mitigate those risks that are critical for a particular business operation.
- There are more opportunities for risk management in general. The approach transcends cybersecurity and encompasses the broader context of business processes.
In our experience, the combined approach speeds up the cyber risk assessment three times. In the case of BI.ZONE, an analysis of 5 processes and 400 assets revealed about 4,000 unique risks, which could take up to a month and a half to analyze. Now, we only have to focus on half as many assets with respect to these processes, and the number of relevant vulnerabilities and threats has decreased by three. The overall assessment can now be completed in about two weeks while the actual workload has decreased by five, to 800 risks, without compromising the result. We exclude scenarios that are obviously irrelevant, because they cannot cause significant damage to the business and therefore do not require further processing. Only the most significant and unacceptable scenarios are subject to analysis.
Mitigation measures should be implemented first and foremost for risks that can lead to unacceptable consequences for the company. Therefore, the CEO will eventually receive from 5 to 20 business critical risks to consider as priority. Below, we will lay out a step-by-step approach to working out a list of the most dangerous scenarios for the business.
Any standard with reference to ISO 31000 requires that risk management begins with identifying the business context, the external and internal factors that may affect it, and the risks and opportunities associated with such factors.
The context is not just the company’s core business, whether it is sales, construction, or oil production. It is important to consider in what environment and under what conditions that business evolves. A construction company can work from paper blueprints or use the latest CAD systems, build massive production facilities, medium-sized residential houses for real estate developers, or small cottages for private customers. Each such case is a different turnover, a different form of contract, a different level of responsibility, and therefore a different risk.
This stage begins the impact analysis. For each activity type it is necessary to:
- consider its role in the business, identify the main stakeholders
- identify all types of consequences
- determine the possible magnitude and threshold of criticality levels
- develop an impact matrix
Let us assume that the goods vendor has identified three areas of activity: purchasing, sales, and logistics. The last item is a secondary business function that does not generate profit by itself. However, problems with delivery can lead to undesirable consequences, for example, financial: indemnity, lost profits, fines, legal fees and settlements.
As a result, the company receives a high-level assessment of the extent of damage: when negative consequences are in the acceptable green zone, and when they become significant (yellow zone) or unacceptable (red zone). Schematically, the matrix may look like this (the figures are given as an example):
|Operating losses up to $2,000
|Unforeseen expenses and fines up to $10,000
|Losses exceeding 25% of turnover or capital
|Impact type: Financial
Potential damage: Acceptable
Potential damage: Significant
Potential damage: Unacceptable
|Impact type: Reputational
Potential damage: Acceptable
Potential damage: Significant
Potential damage: Unacceptable
Proceeding with the BIA, for each business process you should:
- consider all the major resources that are involved in the process, such as people or information
- analyze possible disruption scenarios
- identify potential consequences and rank them according to the impact matrix
In our article about the BIA, we outline the step-by-step procedure to conduct this analysis.
Let us continue with our pandemic example where a company had to reconfigure business processes and switch to telecommuting. To assess how critical this is, the company needs to do a BIA of all its processes.
It may turn out that one of the processes, such as product development, can be seamlessly transitioned to telecommuting, in which case the damage of such changes would be in the green zone.
Another process, such as production, cannot be made remote. Stopping it will cause serious consequences, up to and including loss of profits and reputation, because the company will not be able to fulfill its contractual obligations on time. Such damage can become significant and even unacceptable. Business impact scenarios of this kind definitely require further analysis.
Following the third iteration, the company will have a large list with scenarios of negative effects across all business processes with links to relevant assets. Since the consequences are ranked on an impact matrix, the company can discard “green” risks and focus on the yellow and red zones or just the red zone, considering the current goals and the number of levels on the scale.
Depending on the asset, causes, and consequence scenarios, some risks will fall within the cybersecurity domain, while others will go beyond it. This will determine the method and standards to deal with them next. The cybersecurity risks, which we are most interested in, will be analyzed using ISO 27005. While, let us say, QMS risks or continuity risks will go through the IEC 31010 and ISO 22301
Some risks may affect multiple areas at once, and therefore need to be considered within each area individually.
Let us go back to the vendor company that placed the risk of logistics system downtime in the red zone. The same event can be viewed in three perspectives:
- quality management (a risk of violating contractual obligations)
- business continuity management (a risk of disruption to business operations)
- information security management (a risk of disruptions to the information system accessibility)
Having worked through such a scenario using the three methodologies, the company will be able to find the best way to minimize the damage. Suppose the vendor organizes an alternative method of delivery as part of a continuity management system according to the ISO 22301 methodology. This would be the most effective approach, and it would not be feasible to reduce the risks in other areas by investing in expensive technical solutions. The opposite may also be the case: it makes the most sense to treat the risk across all systems by combining the most appropriate measures from different areas.
In the final stage, cybersecurity risks defined in terms of business impacts are broken down and detailed using an iterative method. In each iteration, we gradually narrow down the range of plausible cyber risks, descending to the level of specific attack scenarios, then to vulnerabilities, and security events. Thus, it is possible to identify the conditions that can lead to the occurrence of risks posing real damage to the activities and goals of the organization.
In our example with the goods vendor, it is important to proceed further and analyze in detail the risk of impact from logistics system downtime. It is necessary to understand what exact kind of threat could cause a serious supply disruption.
In further iterations, it may turn out that the most relevant threat is the one leading to prolonged system downtime or irrecoverable loss of the database. And this, given the existing vulnerabilities and defenses, may already point to the most dangerous risk scenarios—for example, through targeted attacks or the actions of ransomware.
In this case, the most effective way to mitigate the damage would likely be to focus on developing a solution that can guarantee full recovery of the logistics system within an hour, rather than investing in expensive defenses against targeted attacks.
Below is a diagram illustrating the steps:
Analyzing and managing risks is a complex task: the number of risks and related scenarios can amount to tens of thousands. Nevertheless, they should be addressed to ensure business continuity and competitiveness.
Our approach reduces the resources required to conduct risk assessments and increases the cyber maturity of an organization. Risk management changes qualitatively—the company gets more targeted and effective protection from real losses and allocates its security measures correctly.