Starting a Cyber Risk Management Program: Assessment (2 of 3)

Media Thumbnail
00:00
00:00
1x
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, Starting a Cyber Risk Management Program: Assessment (2 of 3). The summary for this episode is:

Speaker 1: Okay. So in this section, we're going to talk about assessment, right? This is the most critical stage in the process of risk management. If you don't know where you're at risk, you cannot mitigate those risks. You may not know how to transfer that amount of risk, right? So when you think about cyber risk in particular, you're really talking about three key areas. You're thinking about people risk, infrastructure risk, and program risks. And these are the areas that you want to assess to get a better idea or the best idea really, in terms of how to move forward. So let's think about the people risk, right? But let's take a step back and think about a scenario involving the security of jewelry store, right? You can have the best locks and safes in the world, but if your team doesn't put the jewels in the safes and lock them on the way out at night, those safes aren't doing anything to actually protect your jewelry store. And cyber risk is similar, right? Your people need to understand the tools they have and the best way to avoid easy attack vectors. And today, the number one way for cyber criminals to come to a company is by social engineering or through phishing attacks. So in order to assess where your team is, you're going to want to do a phishing test regularly to ensure that you have an idea of how likely the team is going to be at recognizing and clicking on malicious or suspicious links. From there, you'll know what mitigation steps you may need to take to help your people risk, okay? The next section to think about is infrastructure. Okay. And so we talked to you about the social engineering piece, the vulnerability piece here, that's going to be the infrastructure, but let's think again about that jewelry store example. If you've got your team putting the jewels in the safe and locking up at night, that's great. But now let's make sure there's not a window open in the bathroom that doesn't lock that a criminal can get into, or that the doors and the safes actually close securely and actually lock, right? This is one of the areas where you want just not a point in time understanding, but constant vigilance, right? So from a cyber perspective, think about setting up scans for your different environments, from your cloud environment, to your IPs, to your computers, to your network, right? You need to make sure that you're patching your software and keeping everything up to date, you need to make sure that you don't have exposed passwords or identifying information on the dark web. You want to look across all the areas of your enterprise, your company, and say," These are the key threats from our infrastructure." And you knew this kind of assessment. This really needs to be a regular basis. Most customers that we're looking at are doing this either on a weekly or a monthly basis. And now let's talk about your program risk, right? Think again about that jewelry store analogy. Do you have a list of employees or only give access to certain areas of the store to those that need it? Do you have a policy in place that's reviewed quarterly about closing down the storage tonight to ensure that all employees know where the jewels go? How to lockup, how to check for that window into the bathroom, how to keep everything secure, right? So if your business is just as valuable as the jewels in the jewelry store, just like the store owners and the operators, take steps to ensure the jewel stay safe, you have to make sure you're keeping your business safe. By going through an industry approved survey like CIS v8, you can understand quickly what you're doing versus where you should be from a program maturity standpoint, right? This survey will help you understand the different areas where you need to have policies and procedures in place. It will show the difference between having a policy and actually working on that policy, documenting it and approving it. And after doing a thorough assessment on your people, your infrastructure and your program, you're going to end up, right? With a number of disparate data sets. The next step is to correlate all those different results, kind of like we've done here on the screen, right? And one to five scales across all three areas and rank the risks for the three areas to get an idea of what a mitigation program needs to look like.

DESCRIPTION

Assessing people risk, infrastructure risk, and program risk will give you the best idea of how to move forward.