Risk is not just a vulnerability. Risk is a combination of the likelihood of a vulnerability being exploited and the impact to the system if that vulnerability is exploited. So, what does that mean?
When we think about a threat to the system, we look at the events that could trigger that threat. For example, we know fire, flood, or other natural disasters are certainly a threat to the system. Malicious intent by an individual outside or inside the system is also a threat. However, after we identify these threats and corresponding threat events, we must also assess the two risk parts to the system: the likelihood of the threat happening and the impact it could have on the system.
For now, let’s look at how to handle threats to the system after they have been identified.
If a risk assessment was conducted correctly, it will provide a prioritized list of recommendations to reduce identified risks to the system. Our options here are to reduce or remove the risk, accept the risk, or transfer the risk somewhere else.
The most common solution is to reduce the likelihood of the risk. The set of recommendations in the assessment’s final report usually include things like software patching, reconfiguration of access controls or adding whitelists on networked devices, or even personnel procedure improvements.
Another option to reducing risk is to outright remove the risk. This method typically involves removing some component or function from the system. Some examples would be terminating third-party access to the system or removing Wi-Fi access from the system. The risk is removed by removing exposure to the system. Unfortunately, this solution often causes disruptions to other system services still in operation.
The final approach is to accept the risk. While this isn’t ideal, sometimes reducing risk is impossible due to business needs or functions. If we cannot reduce the likelihood or remove the risk, the business must seek ways to ease the impact of the risk it has to accept. This is accomplished through cyber insurance.
Cyber insurance covers risks that cannot be technically mitigated. For example, social engineering and ransomware are exposures based on human negligence or ignorance. While technical controls can reduce some exposure to the risk, it does not remove it entirely.
Remember when I talked about risk having two parts earlier (impact and likelihood of the threat happening)? Since we must accept this threat as a residual risk (unable to remove the likelihood of it happening), we look for an alternative way to reduce risk. We do this through the impact this risk has on the system. By transferring the impact portion of risk to insurance, our risk is reduced.
An example: You are hit with ransomware. Your impact to the business is loss of business during the down time. Reduce that loss of down time by being reimbursed from cyber insurance. It then reduces the cost (the impact) to the business.
We are partnering with a cyber insurance company that understands their role in this effort. They use data from each individual business to customize the policy based on true need, cyber posture, and actual risk. This rewards the business for the risk reduction processes they currently have in place. I like this company because, like us, they focus on supporting small and medium businesses as well as on cyber protection, so you can focus on your business.
One last thing worth mentioning, if you are going to have insurance, make sure you have one that also provides both pre/post incident support.
If you would like to have a conversation about your cyber insurance needs and/or reducing your risk, please be in touch.