- Donald E. Hester
Prioritizing Cyber Risk Management: Prevention and Response to Incidents
This article discusses the complex question of whether having a cyber incident indicates a failure to evaluate and mitigate cyber risks adequately. While it may seem that an incident suggests a lack of preparation, it is essential to consider the context, resources, and tradeoffs that organizations face when prioritizing risks. The governing body is ultimately responsible for enterprise risk management, and it should establish policies to support informed risk-based decision-making. Adopting a cyber risk framework such as the NIST Cybersecurity Framework can help organizations prioritize prevention and response to incidents. The article explains the importance of the NIST Cybersecurity Framework's five pillars - identify, protect, detect, respond, and recover - and provides specific recommendations for each step. Ultimately, organizations must prioritize both prevention and response to cyber incidents to ensure business continuity.
Does having a cyber incident mean you are not properly evaluating and mitigating cyber risk? Not necessarily. It's possible that some individuals may answer in the affirmative and suggest that the cyber risk should have been known and addressed. However, it's important to consider the potential influence of hindsight bias, which can be similar to that of a Monday Morning quarterback.
The question of whether having a cyber incident means that an organization is not properly evaluating and mitigating cyber risk is a bit more complex. While some may argue that a cyber incident indicates a failure to address known risks, context is critical. It is important to consider how many risks were identified and how many vulnerabilities were known. There are always tradeoffs; with limited resources, organizations must prioritize which risks to address based on probability and impact. The reality is that all organizations face resource constraints in terms of staff, time, skills, and budget, which makes it impossible to mitigate every possible cyber risk.
When resources are limited, tough choices must be made. It may be necessary to focus mitigation efforts on risks with a higher probability or impact. Therefore, it's possible that despite experiencing an incident, the organization was appropriately addressing risks. The critical question is whether the available resources are being utilized optimally to reduce risk.
The governing body ultimately bears the responsibility for enterprise risk management, but they are not involved in day-to-day activities. This is where governance comes in. The council or board should establish policies, while top executives should ensure that risk mitigation is handled with due care. The best way to demonstrate due care is by having policies and procedures in place to support informed, risk-based decision-making. In addition, organizations should have a cyber risk framework to document their decisions.
The cyber risk framework should guarantee that executive management and the board or council are informed of cyber risks, allowing them to take appropriate measures. Cyber risk is, ultimately, a business risk. If a cyber incident occurs and impairs the organization's ability to function, provide services, or pursue its mission, it can have a significant impact. Unfortunately, too many top leaders today shirk their responsibility and delegate cyber risk management to IT staff. This approach is akin to putting the organization on autopilot and hoping for the best. It's like falling asleep at the wheel and then wondering why an accident happened.
Regrettably, despite management's full engagement, a cyber incident is still probable. In the field of cybersecurity, it is commonly said that it is not a question of if a cyber incident will occur, but when it occurs, how the impact can be minimized. Gary Brantley, the CIO of the City of Atlanta, emphasized that "It’s less about the attack for me, and more about your ability to respond when it happens." Consequently, organizations must prioritize not only prevention but also their response to a cyber incident.
While protecting against cyber incidents is crucial, it is also vital to prioritize the ability to detect, respond, and recover from them. Since governing bodies may not have expertise in cyber risk management, they can implement policies and adopt a framework that focuses on both prevention and response to cyber incidents. Such policies and frameworks can ensure that the organization is prepared to respond to cyber incidents in a timely and effective manner.
The adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework is recommended by the federal government for local governments and critical infrastructure organizations. Through the NIST Cybersecurity Framework's five pillars - identify, protect, detect, respond, and recover - top leaders can gain a better understanding of the risks and assess critical capabilities.
The first step, "Identify," is crucial in the NIST Cybersecurity Framework. It is imperative to know what you have in order to protect it. This includes all data, hardware, software, and services. Without a complete inventory, you cannot adequately protect or recover your assets. Therefore, it is important to maintain a comprehensive inventory to ensure complete coverage.
Protect is a necessity, although not sufficient. While we have to assume that we will have a cyber event, we still need to do everything we can to protect our systems and avoid incidents. This includes implementing appropriate safeguards, such as firewalls and antivirus software, as well as enforcing strong access controls and employee training. However, we also need to acknowledge that even the best protections can fail, and we need to be prepared to detect and respond to incidents when they do occur.
It is crucial to be able to detect intruders in our systems, considering that we will eventually experience a cyber incident. On average, threat actors remain undetected in a system for over 180 days. During this time, they can encrypt the system for ransom and learn everything about it, including exfiltrating data. Detecting them as early as possible can help limit the potential damage and reduce the cost of recovery.
In the event of discovering threat actors in your system, it is essential to respond promptly and effectively by containing any malware and preventing their access. A quick and appropriate response will help to limit potential damage and minimize the cost of recovery.
To ensure business continuity, it is crucial to have a robust recovery plan in place. In the event that a full ransomware attack affects all systems, despite the best protection and response efforts, having reliable backups and the ability to recover systems in the correct order with minimal data loss is essential.
More on the NIST Cybersecurity Framework