A risk-led approach to cyber security

Our lives and our businesses are becoming increasingly digital, with everything from how to communicate to how we access financial services like banking all moving more online.

But where the advantages that this transition affords us are clearly understood and leveraged by all, its risks are somewhat more obscure to a lot of us.

Risk management is something that we all do on a daily basis — whether we know it or not — we’re constantly making evaluations of it. From our personal lives through to our businesses, using risk as an input to decision-making leads to us making well-informed decisions.

This digital world isn’t an intrinsically dangerous place, but there are risks we need to be aware of, but this exact same risk management approach that we use every day to help us make well-informed decisions about other aspects of our lives is a useful model for us to leverage to approach cyber.

The challenge is that we need to understand what our cyber risks are. In a fast-moving world, this can be difficult to do, so we need to use a model that’s more flexible than a rigid look at historical patterns.

Just because something hasn’t happened before, doesn’t mean it couldn’t, and unlike in the physical world where only your local jurisdiction or environment might be relevant, there are no borders in cyberspace, and little consideration for who you are or repercussions.

When looking at cyber risk, individuals and businesses should start at impact.

  • My bank account has been drained
  • My email has been accessed and sensitive information lost
  • Our whole IT infrastructure is now offline, we cannot do any business

It’s important then to look at how these scenarios could come around. Cyber attacks rarely happen because of just 1 thing, there is almost always a sequence of events that leads to one of these outcomes. You should spend time thinking about what these sequences are, and what mitigating controls you should have in place.

For example. If the risk was “a burglar could rob my house of a lot of my possessions” the controls in place might naturally be putting locks on the door, but in cases where the risk might still be too high, you might also go as far as to install a burglar alarm.

In cyber, account compromise risk can range from a mild inconvenience for some, to existential for others, so you might consider controls beyond just the basics of a good password and MFA, to include advanced endpoint protection, or a managed security service.

A risk-led approach to cyber provides an effective framework that’s grounded in the reality of potential outcomes, rather in some wavy notion of what’s currently happening in digital world.

Individuals and business leaders can then make executive decisions about their overall risk that now includes their cyber challenges, and take actions should there be an excess of risk that they’re not comfortable with.

The flip side of this coin is that we either ignore scenarios that impact us greatly or hyper-focus on ones that are very improbable or have low impact. The former can lead to catastrophe should a scenario come to pass unprepared for, and the latter can kill a business as it focuses on mitigating a distraction that will never come to pass.

Where can I find out more?

If you want to understand your cyber risk, find out more about Sibylline and contact Dan Miles here. If you think you’ve suffered a loss and want to see if you can recover it, you can contact Proelium Law here.