Not all assets and data are created equal – the critical first step in risk management

Today’s accelerated digital world is exposed to expanding threat vectors however, protecting everything equally is not an option.

A crucial question that must be answered at the start of planning any effective cyber security strategy is: ‘What exactly do we value and need to keep secure?’

Rising threat landscape vs organisational preparedness

Data breaches big and small have risen to an all time high due to technological shifts driven by new ways of working and the adoption of cloud technologies. According to a recent study, the average cost of a data breach has now reached $4.24 million in comparison to $3.86 million in the previous year.

The recent Gartner Board of Directors Survey found that cyber security related risk was rated as the second-highest source of risk for the enterprise, following regulatory compliance risk. However, relatively few directors felt confident that their company was properly secured against a cyber attack.

This observation was echoed during ITC Secure’s annual Cyber Summit earlier this year, where 20% of global leaders in attendance admitted that their organisation lacked the ability to prepare for, respond to and recover from cyber attacks today.

The challenge is that while most organisations recognise the severity of the issue, cyber security is often treated as just a technical problem. Furthermore, these defences are often only designed to protect the traditional ‘network perimeter’ of business operations and are applied disjointedly across different parts of the organisation as point-in-time ‘fixes.’

Not all assets and data are created equal

In any given organisation, some of the data, systems and applications are more critical than others.

Therefore, cyber security strategies must be viewed with a combined business and technical lens that identifies and (very importantly) prioritises the protection of critical assets and data that are essential to overall business operations.

Without understanding and prioritising assets and data, an organisation will struggle to deploy resources effectively to reduce cyber security risk. Meanwhile, these risks will keep adding up, resulting in challenges for boards and business leaders to truly evaluate the security effectiveness of the business, or assess whether additional investments in cyber security are achieving the desired business objective and outcome.

Critical assets and sensitivity levels can also vary widely across sectors. For example, in the healthcare industry, patient data is a more valuable asset because information about a person (be it old or new) cannot be changed as it is intrinsically linked to the individual; this is in comparison to a credit card number which can be reissued or will eventually expire. On the other hand, the finance industry will require more sophisticated security controls for commercial transactions and M&A data vs. publicly available information such as marketing material.

Prioritisation is a risk management priority: four questions to consider

The key measure of cyber resilience is the protection of the organisation’s most valuable assets. At ITC Secure as we always say to our customers, the crucial first step in managing cyber risk is to understand any potential cyber security impact to the business, and then to have a plan to reduce the risk associated with it.

To do this, security leaders can start by asking four key questions:

  1. Do we have a consistent and accurate definition of risk appetite for the organisation as a whole?

In conjunction with the leadership team, it is important to first establish the organisation’s risk appetite prior to risk identification. The risk appetite will vary according to asset value and what loss can be accepted. This will help decide where necessary efforts should focus on first.

  1. Have we identified our most valuable assets and the type of business impacts relevant to our organisation?

Working with asset owners, mission or business critical assets need to be identified. This often requires a discovery exercise to identify the types of impacts that relate to assets from either a qualitative or quantitative perspective.

  1. Do we know what the residual and current risks of our most valuable assets are?

Once the assets and impacts have been identified, internal and external subject matter experts should then assess the threats that those assets are exposed to, considering the likelihood of occurrence and potential impact. This includes regulatory, reputational, operational, and financial impact.

  1. How will we communicate cyber security and risk management to senior management?

The success of any cyber security and risk management programme will depend on how much buy-in from senior leadership is received. To make sure that cyber risk achieves the attention that it deserves, cyber security needs to be communicated in the right way, at the right level, and aligned to organisational priorities. To ensure buy-in from senior leadership, risks need to be clearly communicated in business language outlining what will be the loss even if the risk is materialised together with realistic and pragmatic recommendations.

Prioritising business assets and data is the crucial first step in building a holistic approach to today’s cyber security challenges – making cyber resilience a competitive advantage.

Answering these initial questions will go a long way in enabling an organisation to prioritise its cyber investment against the most relevant threats. And as a result, set the right cyber security foundations to achieve a balance between effective resilience and efficient operations.