You may have noticed that at Morrisec, we use the word risk a lot. You will often hear us babble on about cyber-risk, risk appetite, risk-based approach, and as a famous bald man once said ‘etcetera, etcetera, etcetera‘. I can see you Googling to find out what the heck I am talking about, and for those of you who know – you must be old 😉
The reality is risk is what cybersecurity is all about. An organisation needs to calculate the risk of a particular event occurring and what impact that event will have on an organisation to determine what approach it will take. The risk appetite of an organisation will also determine that approach. An organisation with no personally identifiable information will have little care for the risk of a personal information data breach. However, an organisation with sensitive personally identifiable information, whose mere existence relies on safeguarding that data, would have no appetite for a data breach. The second organisation would be looking for investments to help protect them against the risk of a data breach, implementing data loss prevention controls, undertaking user awareness, ensuring multi-factor authentication is implemented and hiring someone like Morrisec to ensure that there are no critical risks they have not identified and addressed, that could lead to a data breach. In comparison, the first organisation will be looking to invest their money in controls more relevant to their specific risks.
But how do you determine what your risks are?
Where do we start?
The first step in determining your risks is understanding what you need to protect. What would a threat actor wish to do with your organisation and its data? Threat actors love to target data-rich organisations, which is why the health sector is a significant target, as it holds:
- Personal identifying information
- Finance data
- Medicare information
- Sensitive health data
Other targets for threat actors include:
- Intellectual property
- People who speak out against some Nation States
- Political data
- Research data and IP
- Classified data and national secrets
- Personnel data on government and military agencies
- Customer base
Hmmmm, it almost appears that any organisation that does any type of business is a target…. This should not be a surprise to anyone. Threat actors can make a dollar from any data they steal: the more data, the more dollars they earn.
In a previous article, I spoke about the importance of creating an asset register to see where your data is being held and processed, what the sensitivity of that data is and what controls are in place to protect that data. But here is the thing, just because you have documented a process or informed staff that they need to follow a procedure, it does not mean it is occurring. For example, you may have set up Salesforce in your organisation and informed everyone that they should now use it to save all their interactions, documentation, and customer correspondence. Yay, you can cross that off the list. All customer documentation is now secure, or is it?
How can you be sure that your staff are using Salesforce and only Salesforce to save customer interactions? You undertake a risk assessment. This simply means you go and talk to your team and find out what they are doing. Not everyone, but a sample of people across your organisation, gets you a general feel for what they are doing as part of their day-to-day operations.
Providing real value from a risk assessment
I have been told that I do information security risk assessments differently from others. To quote one recent customer, I have also been told that the result is ‘the most useful report they have ever received from a consultancy‘ /me curtsies. What is the point of doing something that will not benefit the business? Since we are such great friends, I will give away a few tips on how I undertake an information security risk assessment, which hopefully you can take back to your business and try out. If you do not feel comfortable or have no time, you can always buzz me and get me to come and do it for you 😉
Choosing the right stakeholders
The first thing I do when conducting an information security risk assessment is to have representatives from across your business – from your worker bees to top management. You want to ensure you have at least two people from each area and a few more from IT and finance. I am then a little mean because I give no information to prepare the interviewee for the interview. I just tell them that I am conducting an information security risk assessment, that they have been chosen as part of the sample group, and that all they need to bring with them to the interview is their knowledge.
During the interview stage, you must get the interviewee’s confidence, let them know that they are not being judged and that the sole purpose of the assessment is to help identify risks and to help keep the organisation safe. There are no right or wrong answers, and to the best of your ability, all responses are confidential. However, if the staff member states, for example, that their area is understaffed and that it is causing a strain on workers, a strain that could cause a security breach, to bring this to management’s attention so that the issue can be fixed, you will need to give the department’s name.
So far, no rocket science. You have your sample, you have set up your interviews, and you have made your interviewees feel comfortable. Now comes the torture, *cough *cough*, I mean interview questions.
The interview
Start by asking the interviewee what they do, not just their job title but what they do as part of that job. For example, in an interview between me and myself, I may begin with:
Interviewer:Â Â Â So Sarah, can you tell me what your day-to-day job entails?
Interviewee:Â Â Â Well, Sarah, I am an information security consultant, and my job has me working with my clients to help keep them safe.
Interviewer:Â Â Â Interesting, so what do you do to keep them safe? What type of tasks do you perform?
Interviewee:   Well… It depends on the customer. For some customers, I may undertake an information security risk assessment. Other times I may deliver security awareness training to an organisation, help them develop incident response documentation and then test the organisation’s preparedness for an incident. I work with organisations to help them comply with a particular standard or framework such as NIST, ISO/IEC 27001 and CPS 234, and I work with organisations as their security manager or CISO.
Interviewer:Â Â Â Wow, Sarah, you do a lot and are very talented. Let us step back and examine what is involved in a risk assessment. Can you tell me step by step what you do?
Interviewee: Â Â Well, thank you, Sarah. You seem very talented too. For a risk assessment, I first engage with clients and ask them to send me any documentation that may be relevant to the assessment, such as policies and procedures, past penetration tests and audit reports.
Interviewer:Â Â Â That sounds like it would be very sensitive client data. Can I ask how do you receive that data?
Interviewee:   At the start of the project, I request that our Service Delivery set up a secure upload folder that our client can authenticate to and upload their documents. I then move those documents to our internal file repository under the client’s folder and delete the documents from the externally accessible location.
I could go on and on, but you get the idea. If I had told myself that I had the client email me confidential documents, my following questions would be to ask:
- Whether the email was encrypted.
- What did I do with the email once received?
- Where did I store the confidential documents, and
- Whether I forwarded those confidential documents to anyone else.
Lastly, my favourite question is whether I saved those documents for safekeeping on my local drive, in any other cloud storage places or on external hard drives or USB keys. Strangely enough, people do not trust technology, especially technology that has just been introduced, so they always find ways to back up data rather than rely on IT (especially in universities!).
The interviews tend to go for an hour, sometimes a little longer and other times a little shorter. But you get the gist. Otherwise, you may as well be undertaking a box-ticking exercise. You dig and dig and dig in an interview, not because you must find something, but because you care. You are not digging and trying to see where people have made mistakes or stuffed up so you can point a finger. You are searching to keep their organisation safe.
The questions vary, of course. For IT, I delve into privileged access accounts, access control, onboarding and offboarding, and other relevant topics. I would suggest writing down a list of issues to cover beforehand. If your organisation undertakes development, you will want to know what code is being saved and where, whether your production, test and development areas are separated, how often your organisation undertakes code reviews and many more things.
Outputs from the risk assessment
At the end of the assessment, you will have findings, which you can then link to an overall risk category. My go-to example is access control:
Findings:
- People are sharing passwords.
- Some passwords are on post-it notes at people’s desks.
- A search of breached databases revealed passwords belonging to staff that are simple and easy for a password cracker to guess.
Risk Category:
Access Control
Once you get used to undertaking risk assessments, you can tie these to your organisation’s threat landscape. David wrote an article on this a few weeks ago, which can help you reach this new milestone in information security risk management.
And there you go, how to undertake an information security risk assessment. Well, at least the start of undertaking an information security risk assessment. Remember, cybersecurity has three pillars: people, process and technology, and you will want to expand on all three pillars as your risk methodology grows. You will also want to investigate worst-case scenario workshops, where you use your threat landscape results to come up with scenarios and then play these scenarios out, identifying risks and controls. This can then be fed into your risk register. But one thing at a time.
I hope this article has been helpful. I first started conducting risk assessments back in 2005 when I worked for one of the major banks, and I absolutely love developing risk registers and then slowly seeing an organisation mature as they close off risks and follow their remediation plans.
As always, please feel free to reach out if you need further information.
0 Comments