Why Your Business Needs Comprehensive Risk Documentation
Failing to document risk leaves businesses vulnerable to cyber threats and costly consequences.
Phil Robinson of Prism Infosec shares why failing to document risk can be costly for businesses. Explore the importance of risk assessment and management in cybersecurity.
Understanding risk and its potential impact can help the business prepare for and survive the realization of its worst fears. It’s a pre-emptive measure and can head off threats and provide a way to control those risks continuously. Yet, despite the advantages of documenting risk, a surprisingly small number of businesses are doing it.
According to the UK government’s Cybersecurity Longitudinal Survey, only 30% of businesses have any documentation in place outlining how much cyber risk they are willing to accept (their risk appetite), and only 50% of businesses maintain a risk register (that details the cyber risks they are exposed to).
Consequently, these businesses are not managing their cyber security posture appropriately because, without identifying and evaluating risk, these organizations cannot effectively invest in and defend their critical assets. In fact, it’s such a concern that the cyber security risk assessment is one of the four areas highlighted for further monitoring in the third wave of the report being carried out this year.
Why Is This Happening?
Those businesses that do document risk do so to meet contractual obligations or the requirements of certifications such as ISO 27001 and tend to have board oversight of their cyber security risk. It’s also a common requirement for those seeking cyber security insurance, of which 61% of businesses now have some form of, states the survey. It’s stipulated in compliance requirements associated with specific sectors, such as the Sarbanes-Oxley Act in US Finance or PCI DSS, to protect payment card data.
Many may not document their risk because it can be daunting. Documentation is the final stage in the risk assessment process, preceded by scoping, identification, analysis, and evaluation. First, the business will need to decide where to focus the assessment. This is best approached by process or department to make it more manageable and to allow the necessary stakeholders to be involved.
Once the scope has been decided, risks can be identified, and the likelihood of them being realized is assessed, followed by the potential impact and mitigation. But let’s look at each stage in turn.
Identifying risks may seem straightforward, but it’s not just a matter of inventorying data assets. Also under consideration are business-critical processes that, if subjected to attack, could prevent the business from functioning. Typical components subject to a risk assessment include hardware, software, data sets, services (including cloud / 3rd party services), personal information, business-critical information, and even staff members. Cyber threats and the tactics, techniques, and procedures used to execute them also need to be identified, and their possible outcomes and threat frameworks, such as MITRE ATT&CK, can help here.
See More: Why Continuous Compliance Is a Necessity
Impact and Harm
The next stage is to estimate the likelihood of a risk being realized and its potential impact, i.e., the extent to which it can harm the business. Some use a “Red/Amber/Green” (RAG) system, making it more difficult to communicate risk to the board. It’s important to keep it simple and refer to the risk as low, minor, moderate, high, or severe and give a business context to the impact, such as loss of business/contract, loss of reputation, financial impact, or punitive measures/penalties rather than some obscure numerical value.
In managing risk, the organization should determine a threshold at which risks should be treated, known as the risk appetite. All organizations must take some risks. Otherwise, it would be too difficult to pursue the business objectives. However, the risk appetite for an organization can vary based upon factors such as the industry it operates in and company culture. For those risks that have been identified that exceed the organization’s risk appetite, they should be treated (for example, by applying further controls, changing practices to avoid the risk, or transferring the risk to a third party such as an insurer) such that any remaining residual risk is then at or below the acceptable level.
All of these elements are then documented in a risk register, which should be reviewed regularly, as well as when disruptive events happen, be that the installation of new technology, a change in the direction of the business, or following a security incident. In this respect, the risk register should be considered a living document. Ownership of risk decisions must also be documented and again reviewed when such events occur in case there is a change to the designated person with responsibility.
See More: How to Establish Best Practices for Document Management
Making the Process Easier
Because of the methodical stages involved, risk assessment lends itself well to a framework approach. Established risk methodologies include ISO 27005:2011, Information Security Forum (ISF) IRAM2, NIST (SP800-30), Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), Octave Allegro, and ISACA COBIT 5 for risk. These can make it easier, but many businesses outsource risk assessment to a third party. Regardless of which is chosen, however, the assessment should always be tailored to the business to ensure it is both relevant and effective.
As onerous as the process may seem, failing to assess, manage, and document risk, as 70% of the businesses in the Longitudinal survey seem to have done, can prove costly in the long term. These businesses are much more exposed because they do not know and understand the risks they face, have made no effort to reduce the risk through controls, and have made no contingency plans in case of a compromise.
The survey found that 74% of businesses were subjected to a cyber attack during the 12 months before June 2022, with 84% suffering repeat attacks. Almost a quarter (22%) were adversely impacted, losing access to data or services, having accounts compromised, or software, systems, or devices corrupted or damaged. In contrast, a third had to invest in new security controls, and the same number had to devote resources to dealing with such incidents.
That’s proof, if any were needed, that neglecting to document risk can prove costly in the long run. But documenting risk is also valuable in another respect in that it gives the business oversight and more control over its operations. Having that knowledge can then bring about a better cultural understanding of cybersecurity throughout the business and help inform business decisions so that the process not only helps prevent harm but also helps guide future activity.
Have you prioritized risk documentation to safeguard your business? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON RISK MANAGEMENT
- Why Risk Management is Essential in Enterprise Operations
- Building an Effective Risk Management Toolkit to Ward Off
- How to Handle the Risks of BYOA/BYOD and Shadow IT
- Improving Document Accessibility and Security
