Cyber Risk Management is the next evolution in enterprise technology risk and security for organisations that increasingly rely on digital processes to run their business. Cyber risk management has become a business issue, not just a technology issue. Cyber Risk Management enables business executives and their organisations to understand the cyber risk profile of their digital operations from a business perspective.
Why risk management matters
Risk management exists to help us to create plans for the future in a deliberate, responsible and ethical manner. This requires risk managers to explore what could go right or wrong in an organisation, a project or a service, and recognising that we can never fully know the future as we try to improve our prospects. Risk management is about analysing our options and their future consequences, and presenting that information in an understandable, usable form to improve decision making.
Risk can’t be abolished
The starting point of risk management is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other (classically to either avoid, reduce, transfer or retain). This can be easier said than done, particularly when confronted with a demand to ‘abolish risk’, as if that were an easy and simple option.
Risk Management often requires a relationship between people who analyse risks and people who make decisions based on that analysis. Communication between these two groups must be clear, understandable and useful. If the people who make decisions can’t interpret the analysis they’re presented with, then there is little point in doing risk analysis at all.
Start with a cyber risk management and security baseline
If you can afford to do nothing else, SMEs should adopt a recognised baseline of security controls. This approach doesn’t require any risk analysis at all; it’s just about applying some basic security controls and demonstrating that your organisation takes cyber security seriously. Make sure the security baseline you chose takes into account any laws and regulations your organisations must comply with.
All organisations face risks, no matter the size
Many cyber attacks use indiscriminate scatter-gun approaches to targeting victims. If you’re an SME or sole trader, you’re just as likely to be a victim of these scatter-gun attacks as a large organisation. Attackers may not know or care who you are until they get a foothold in your organisation.
Understand what you care about, and why
Cyber security is as much about knowing how your organisation functions as it is about technology. Think about what people, information, technologies and business processes are critical to your organisation. What would happen if you no longer had access to them, or if you no longer had control over them? For example, your organisation might be able to function reasonably well for a few days without email, but loss of a Customer Relationship Management service might prevent essential day-to-day tasks being completed. Equally, some information such as personal data must remain private, but other types of information could be released without any disruption. This basic understanding of what you care about, and why it’s important, should help you to prioritise where to protect your organisation most.
Think about situations in which you could be compromised
The ability to visualise the future consequences of your decisions, some of which cannot be easily predicted, is essential to risk management. You can’t explore every scenario in which you could be compromised, but you shouldn’t let that put you off. It might seem natural to start with a decision you’ve taken, such as adopting a particular password policy in your organisation, and to work forwards from there to explore the consequences. However, it can be more useful to start with an outcome that you want to avoid, and then work backwards.
Accept some risk
When you’ve made a business decision, such as deploying some new technology in your organisation you will have to accept some possibility that it could be attacked, subverted, destroyed or otherwise messed with. We all experience risk because the future is uncertain, and cyber risk is no different.
Balance cyber risks against other types of risk
Some security measures can reduce one type of risk, whilst increasing risk somewhere else. For example, let’s imagine you want your customers’ online accounts to be secure, so you introduce strong password requirements on your website. This might (or might not) reduce some risks, but it is likely to introduce the new risk of customers leaving your website and going to a competitor’s where the overall user experience is better. Whilst this isn’t really a cyber security risk, it still affects your organisation, and treating both risks as being separate and unconnected is unrealistic. So, when you decide to adopt a security measure, try to imagine any unintended consequences.
Learn from security solutions used by other organisations
It’s rarely worth re-inventing the wheel. We don’t advocate you blindly copying security solutions without any reflecting on how they fit your own context, but you can learn a lot from studying how other organisations have solved similar cyber security problems to yours.
Keep an eye out for cyber security myths
Cyber security, like most professions, has a lot of myths to bust. For example, there is a myth that cloud-based infrastructures are more risky than using your own equipment. This is rarely true – large and reputable cloud service providers generally have far more robust security arrangements than most organisations would be able to afford themselves. At the same time, the cloud isn’t a silver bullet; you still need to ensure that your organisation’s devices that you use to access cloud services are properly protected. Our point is that cyber security is constantly changing, so beware of lazy assumptions and uncritical thinking.
Be aware of the strengths and weaknesses of risk management techniques
Risk management standards and frameworks often present themselves as if they exist in isolation. This can lead to an impression that you only ever need to understand and use one type of approach. There are fundamentally different ways of approaching risk. Of course, many organisations might adopt a single technique to risk management for practical reasons, such as resource constraints, or to ensure compliance with a piece legislation. In such situations, make sure you are aware of the strengths and weaknesses of the technique being applied.
Have a question? We’re here to help.
You can reach us through our contact form, by email, or by phone. We will get back to you within 1 business day.