As cyber threats keep increasing, reducing cyber risks is becoming more and more costly for businesses around the world. No matter how many tools you or your company are using and how good you think your cyber hygiene is, there’s always room for improvement. It’s hardly a new concept but most CISOs don’t have an infinite budget. Based on an article by Dan Lohrmann, an internationally recognized cybersecurity leader, technologist, keynote speaker, and author – we’ve come up with a few tips on how to reduce cyber risks with minimal resources.
Step 1 – Risk assessment and risk-based security strategy
Risk is a combination of threat, vulnerability, likelihood and impact, along with asset values. Overall, start with a risk assessment to set your baseline threats to your organization to develop a clear risk-value-based risk reduction plan. Ask yourself, how do you think about attacking the problem of reducing risk?
Using an enterprise-wide and holistic risk based security strategy can make a huge difference in the way you deal with cyber risk. A “risk based” approach to cybersecurity, focuses on decreasing enterprise risk. In order to do this, leaders must identify and focus on the elements of cyber risk to target. More specifically, the many components of cyber risk must be understood and prioritized for enterprise cybersecurity efforts.
Step 2 – Planning and disaster recovery
Cybersecurity is a wide capability area with complex technical and business interactions, and must work in conjunction with other security measures such as physical security, personnel security, contingency planning, disaster recovery, operational security, and data privacy. One of the most severe consequences from an inadequate cybersecurity program is a data breach, where the financial impact can be extensive. It can be expensive both in reputation and actual costs for a business. That’s where a structured, holistic, risk based strategy provides the best risk value in maximizing business success factors. When using a risk based strategy one should assume the hackers are inside the organization. Furthermore, having a well-practiced incident response plan to minimize damage and strictly control internal and external incident communications is a must.
Step 3 – Adequate framework
When it comes to cybersecurity, a framework serves as a system of standards, guidelines, and best practices to manage risks that arise in a digital world. A cybersecurity framework prioritizes a flexible, repeatable and cost-effective approach to promote the protection and resilience of your business. A well-known framework for improving cybersecurity is the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) for Improving Cybersecurity. It has five phases: identify, protect, detect, respond and recover. NIST also has a small/medium business (SMB) version of this framework and processes therein called NIST-IR 7621 Rev1. Adequate framework should obviously be at the top of any CISOs list in order reduce cyber risks with minimal resources.
Step 4 – Set thresholds
One may wonder, when it comes to cyber risks, what does a “reasonable” posture entail, and who says so?
As mentioned, using some form of risk based security strategy, which includes using a risk framework that the company can align to with an approved risk appetite set of thresholds and provide a clear risk-value-based risk reduction plan is a great way to reduce cyber risks.
Step 5 – The importance of cyber hygiene and awareness training
Vulnerability management and cyber hygiene may seem like common sense to some, yet many companies do not have any kind of employee training. Furthermore, a risk-based approach is effective to minimize the greatest actual risk to the company focused on more than just common vulnerabilities and exposures, where you work on the top 20 or so risks each week and make measurable progress. In addition, some assets will stand out based on their individual risk scores. Most of the top risks are “known” to leadership at this point (phishing, ransomware, data breaches, etc.), yet what is their full comprehension, especially for the negative business impacts?
Frequently, it’s the known risks that may not get fully addressed, like cyber hygiene, cloud security and more. These risks may be known but not fully addressed because of other operational priorities (building out new capabilities that directly support business productivity, revenue, etc.) and the full impact of the risks are not well understood by most. This risk-versus-operational-needs balance is frequently the source of why known risks are not well accounted for.
Risk management is a companywide endeavor that requires a common understanding of the risk value and resource allocation. While we all know that focusing on security basics like cyber hygiene can significantly reduce security incidents, we collectively don’t put enough effort into doing those well.
Step 6 – Management reporting
Businesses all over the world are moving towards digitalization and are facing increasingly high cyber risks. Needless to say, cyber security can be a very technical field. So how should cyber professionals handle cyber and risk reporting?
First of all, risk management reporting needs to be periodic, not once a year. CISOs should remember to engage with a few key business stakeholders to see what their information needs are and the style they most relate to. One-page reports seem to be the best way to go, or at most two-page, as executives are used to getting those. Minimize the technical jargon and use an analogy that resonates. Here are a few more tips when it comes to cyber and risk reporting:
- Get to know the members of the Board of Directors
- Banish ultra-technical terms
- Rely on metrics
- Use real-life examples
- Align with your organization’s overall business strategy
- Focus on the important points
- Adopt a risk-based approach
- Make your case with significant and accurate metrics
Step 7 – The right tools – more doesn’t mean better
First you should assess your current security capabilities by asking yourself whether you are one of those entities that has 30 to 50 security tools, and whether every one of those tools really provides a significant value in improving your cybersecurity performance. Have you quantified your enterprise security risk requirements? CISOs should start by taking advantage of original equipment manufacturer products like Microsoft, Cisco, etc., which have significantly advanced their features set and integrated operations in recent years. Once you have the capabilities to product mapping, find out which tools over and you can proceed to decide what capabilities can be dropped. This could save your business a lot of money, not only by getting rid of the useless tools, but the personnel resources to maintain and monitor them. Effective use of resources and cybersecurity tools is a major part of minimizing the costs. In fact, CnSight offers out of the box and tailored key cybersecurity performance indicators (CPIs) to measure the performance of the tools, policies, and teams responsible for security. Our one-of-a-kind product can help identify and increase the return on investment of your cyber program.
Check out our calculator to see how much you could save by using CnSight.
Step 8 – Cybersecurity insurance
Security incidents can have disastrous consequences, including large financial and reputational damages, to companies of all sizes. This is why cybersecurity insurance is recommended, to relieve the financial burden a cyber attack can have on a business. Insurance companies such as Zeguro have made cybersecurity their specialty. Zeguro’s goal is to cover the unexpected costs related to cyber incidents, so you can continue to run your business with minimal impact. They even offer cybersecurity plans that can lower your premiums. According to a study by AdvisorSmith, on average, U.S. organizations pay $1,485 annually for cyber insurance, but there are several factors that can impact the cost of cyber insurance. When it comes to cyber attacks, it’s not a matter of if – but when. Data breaches are expensive, considering cyber insurance can help reduce your financial burden.
Additional tips
On top of these steps, here are a few key tips to keep in mind:
- Don’t underestimate the power of a cybersecurity Education and Awareness Training Program: educating users with regular training courses, emailing notes on security topics, frequent phishing exercises, etc.
- Tightly manage access controls: use multi-factor authentication, strictly control privileged account management.
- Excel at threat and vulnerability management and cyber hygiene overall.
- Partnering with a managed detection and response provider for around-the-clock coverage can be a good option as you can enhance your threat hunting and reduce the alert fatigue of your business’s the security team.
Reducing cyber risks within an organization is every CISOs mission, but doing it with minimal resources is the ultimate quest, and CnSight can help! CnSight is an automated, lightweight, executive level dashboard that increases cybersecurity efficiency and reduces organizational risk through continuous KPI visibility. This powerful platform enables security leaders stay informed of the most important cybersecurity metrics that provide key insight into performance against established goals and objectives. This proactive management helps security leaders intelligently inform the status of cyber initiatives to upper management, promote organizational alignment, aide in compliance, understand their risk posture, and ultimately enables CISOs and cyber security teams to do more with less.
