Risk management
What do healthcare, banking, and the insurance industry all have in common? RISK! Regardless of industry, having an application, or system compromised could mean the exposure of extremely sensitive information. If such information became public knowledge your business could suffer tremendously. For many companies, a data breach is the worst possible situation imaginable. How does an organization work to reduce the impact of a system being compromised? One of the best ways to protect assets against a potential data breach is by practicing risk management.

Before we can discuss exactly what risk management is, we need to understand the risk at its simplest form. The International Organization for Standardization 31000 defines risk as to the “effect of uncertainty on objectives”. Risk by itself can be dealt with in four different ways.

  1. Risk can be avoided.
    By simply not engaging in an activity or situation which is associated with a risk, you are eliminating the possibility of being affected by the risk.
  2. Risk prevention.
    If a risk is unavoidable then you can take measures that prevent the risk from having a negative impact. In order to prevent risk usually, additional steps are required. This equates to work or resources which must be put in place which adds up to the additional cost.
  3. Risk retention.
    Risk cannot be avoided if an organization is going to be successful. Once the risk has been identified, and there is no way around it, the company decides to put safeguards in place to prevent the risk of damaging assets.
  4. Risk transfer.
    The risk might be too expensive for the organization to mitigate on their own. If this is the case the organization may transfer the risk to another company who specializes in dealing with the activities which present a risk to the organization.

The practice of managing these uncertainties is what is known as risk management. Seems simple enough, however, let’s look at the definition of risk management according to Wikipedia:

“Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities”.
If we take this definition and apply it to a business model we develop what is known as enterprise risk management, or ERM, meanwhile if applied to information security, the practice is abbreviated ISRM (information security risk management). Keep in mind the original definition from the International Organization for standards 31000 – the objective with information security is for people to be able to use technology without putting the business data at risk. Risk and how we deal with it applies to all aspects of life. When put to action for specificity risk management adorns a new acronym, but it is still very much the same methods. Therefore regardless of ERM, or ISRM at the end of the day it is simply risk management.

Elements of risk management

Generally speaking, the elements of a successful risk management program are broken down into six steps.

Inforgraphic showcasing six elements for better risk management

The first step in building a risk management program is to define the objectives. Having a clear understanding of what you are trying to achieve is absolutely critical to the success of the program. Take time to fully understand what the end goal is.

Once you have a comprehensible apprehension of what the program is trying to achieve identify risks that could affect your organization’s goals. This will require an in-depth look at the workings of the technologies in place.

After having identified risks to your objectives it is time to assess those risks. During this phase, the risks are validated and criticality measured. This is to ensure the business is able to formulate a cost-effective plan to mitigate risks based on the potential impact on the overall business. From here develop strategic options enhancing opportunities, and reduce threats to the overall objectives. Remember a risk is a potential for a loss, while an opportunity is the potential to gain.

It is now time to implement your plan for risk response. Make sure policies are in place and people are aware of the proper protocols to follow in the event a risk becomes a threat.

Lastly, monitor and review your procedures and policies to see if they are not only working correctly but could be improved upon.

Reduce impact through risk management

On October 1, 2019 the DCH Regional Medical Center in Tuscaloosa, Alabama [1] announced they could not take any new patients due to a ransomware attack. The impact of this attack affected three hospitals in total. Ransomware attacks can have an impact by means of a couple of different methods, all of which require the attacker to gain access to the machine. They can leverage infected websites that when visited drop malicious code on the victim’s machine. If there are any known vulnerabilities that are able to be exploited by an attacker (which was the case with wannacry) then this can be leveraged by the attacker to initiate the ransomware, also a malicious attachment can be sent by email (commonly referred to as phishing)

Regardless of which method is used by the attacker what the ransomware does next is the same. Once the attacker has their malicious code executed it spreads latterly through the network, and encrypts the harddrives of the affected systems denying access to the user . The attackers alert the users after the damage is done with a message basically stating that you can’t use your stuff until you pay us. This is absolutely horrible! The worst possible outcome, but why was it so successful? This attack was able to inflict so much damage due to a lack of risk management.

Ransomware attacks have been well known for several years now, yet the organization failed to recognize the risk. The exact technical details surrounding the attack were not public at the time this article was written, but a properly ran information security risk management plan would have safeguards in place to mitigate this risk. If secure backups of the data were configured properly the machines could have been wiped clean and the data restored preventing THREE hospitals from having to stop admitting new patients.

Another major component to a successful phishing attack is the end user. If the end user is more aware of phishing attack techniques they can become more suspicious of emails, recognize the phishing attempt and not interact with the infected mail! Although user awareness does not guarantee a phishing attack will not be successful it does greatly reduce the likelihood of success.

Endpoint protection available in the marketplace today specifically designed in detecting these types of attacks it’s highly suggested because the protection monitors endpoints for suspicious activity which can warn your organization of signs of compromise, which trickles down to faster response time. Were these systems fully patched? By maintaining fully patched systems business prevents attackers from leveraging known vulnerabilities to compromise systems

Network segmentation can prevent ransomware from spreading which greatly reduces the malicious code from moving laterally through the network. A ransomware scenario would have been thought out giving the organization assurance they were configured to provide a solution in the event of an attack if a properly executed risk management strategy was in place. This is just one example of how practicing risk management can reduce the impact of an attack. Rest assured having done the preventative work will save your company from spending potentially millions of dollars cleaning up a cyber attack.

SUMMARY

Preventative costs outweigh the lasting effects of neglecting security. By implementing a risk management program your organization will prevent threats from becoming something that potentially could bankrupt business. It is far less expensive to take preventative measures and break free from the thought it won’t happen to us than to simply neglect safeguards that are leveraged by attackers today. Be diligent in identifying assets! Take time to develop strategies, and policies to handle risks, ensure they’re working correctly, and monitor and review them regularly.

Our solution to help in doing this is the Ignyte Assurance Platform, which aids you in calculating impact, and likelihood. We’ve automated the process of risk calculation, reporting, and tracking remediation costs. All of this saves your organization time, which in the end saves money, all while providing the assurance your company needs in order to be successful today.