Identify The “Who” in Risk Mitigation

When it comes to risk mitigation, organizations need to focus on several components in order to develop and implement an effective strategy to counter a diverse range of cyber threats. While there is considerable focus, and rightly so, on being able to identify mission critical information assets and accesses in order to devise security plans to safeguard them, attention must also be given to the “who” of risk mitigation planning.

The “who” becomes a bit more complex depending on the perspective being taken and further demonstrates the need for risk mitigation strategies to recognize different points of view when developing their plans.

The most obvious “who” in this process is the owner, or in this case, the organization itself. The organization is ultimately the one that has to develop the right strategy that takes both security and cost into consideration. However, identifying key informational and network accesses is just one part of risk management. Factors like safety, business operations, investment, have made organizations more aware of the need to identify and measure risk. Adopting risk modeling techniques is one way organizations achieve many important objectives:

The most obvious “who” in this process is the owner, or in this case, the organization itself. The organization is ultimately the one that has to develop the right strategy that takes both security and cost into consideration. However, identifying key informational and network accesses is just one part of risk management. Factors like safety, business operations, investment, have made organizations more aware of the need to identify and measure risk. Adopting risk modeling techniques is one way organizations achieve many important objectives:

  • It provides information to the decision maker who may have to prioritize how his/her organization’s budget is allocated for security purposes
  • It may have direct influence in how much of the organization’s budget is ultimately devoted to security
  • It provides a quantifiable metric as to the potential financial consequences if risk is ultimately assumed and realized

In addition, organizations must determine risk allocation and how much risk they are willing to accept, and what types of risk they are seeking to avoid and transfer. These must also be factored in when developing risk mitigation strategies.

Another “who” in the equation are the organization’s customers and/or clients. This group is integral for an organization that relies on their patronage in order to succeed and grow as a business. Protecting this relationship is essential for sustained business operations and continuity.

When looking at the 2013 Target breach, the fallout was immediately felt in consumer patronage. Fourth quarter profits fell 40 percent immediately following the disclosure of the breach, and Target had to ultimately agree to a $39 million settlement with the banks when they were forced to reimburse customers who lost money in the aftermath of the criminal hack. Understanding the data that’s important to your customers as well as your business must be factored into any risk mitigation calculus.

Equally important is devising a communications strategy to inform both customers and the public of what the company is doing to mitigate the after effects of the breach, as well as provide information on any developments and what customers can do to minimize further exposure.

The first thing tarnished post-breach is the organization’s brand and reputation, and could potentially be a public relations fiasco if a proactive communications strategy is not in place.

This is not to say that breaches are a death sentence; Target rallied after the breach and there doesn’t appear to be any long-term damaging effects to other breach victims like JP Morgan, Anthem, or Ebay.

But impacts on bottom lines is different than reputation. According to a 2014 Ponemon study, consumers felt that data breaches were as troublesome as poor customer service and environmental disasters. A 2014 Forbes study found that 46 percent of organizations had suffered brand and reputation damage as a result of breaches.

Taking this “who” into consideration when drawing up risk management plans is increasingly important. Just because consumers are forgiving, doesn’t mean that organizations should rely on them being so.

Partners represent another “who” in risk management. Trusted third parties that can be targeted as a possible entry point to a larger organization’s network was also revealed in the Target breach when a HVAC company was exploited in this manner. Since that time, we have seen that no sector is immune to this type of targeting.

According to one security vendor fact sheet, healthcare, retail, food and service, charities, and government were just some of the sectors targeted from 2013-2015. More importantly, third-party targeting is not the purview of criminals alone. Hacktivists and cyber espionage actors have also leveraged this technique to support their operations, preying on those entities that may not have as robust cyber security postures as their ultimate targets.

Knowing your trusted third parties and setting policies and monitoring accesses is essential in building a more holistic risk management plan.

Risk management strategies are designed for organizations seeking to improve their resilience in the face of a dynamic and ever-changing threat landscape. Knowing the “whos” will greatly assist organizations in developing unique strategies that fit their risk management needs, by forcing them to look beyond themselves and at those stakeholders that may have gone unnoticed. In the end, risk management is many-faced, and a good strategy will represent all of those interests.

This article originally appeared on CSO Online. Find it here.