Practical steps for protection through proper cyber risk identification

Like smart detectives and effective auditors, good cyber security professionals start by asking the right questions about cyber risk. It’s the best way to know what needs protecting and how. This blog takes you through the basic steps to find out what’s important for your organisation and to see where you need to plug security holes. You’ll also discover the importance of diversity in getting a comprehensive view of cyber risks affecting your organisation, thus helping avoid security blind spots. This applies to how you select the members of your cybersecurity team and to your sources of threat intelligence.

Cyber risk identification is the starting point

As the saying goes, if you don’t know where you’re going, any path will take you there. Conversely, if you have a clear goal in mind, like ongoing, cost-effective cybersecurity that optimises protection for your enterprise, your choice of path and starting point will be of primary importance.

Protection priorities

The first step is to know what needs to be protected and what the priorities of that protection are. Your organisation may have or use many cyber assets, including data, applications, systems, networks, and edge devices. You can often determine priorities by asking questions about the ownership and the criticality of each asset if something were to happen to it.

• Does the asset, like data stored by your organisation, belong to your organisation? Are applications like cloud apps accessed by your users the property of your organisation?
• What would the consequences be if an asset were accessed by an unauthorised entity, for example, causing a data breach or illicit use of network resources?
• What impact would damage to an asset have, such as corruption of data or disruption of applications?
• What effect on your organisation would unavailability of the asset have, like data encrypted by ransomware or systems overwhelmed by denial-of-service attacks?

Remember also that while some damage may be malicious, other losses may come from inherent asset failure, unintentional user actions, or disasters like fire or flooding.

Identifying vulnerabilities

The next step is to understand how damage or degradation to your cyber assets could occur, i.e., the cyber-vulnerabilities of your organisation. As for the protection priorities above, lateral thinking may be needed to ensure you identify all the key weaknesses for your assets. A team with a good mix of experience and diverse backgrounds can be highly effective in helping you cover all the bases. For example:

• Password security for applications may be a vulnerability if users are defining weak passwords (“1234”, “secret”, and “password” being notable examples).
• Legacy applications may be at risk because upgrades are few and far between, allowing security holes to linger.
• Employees with a grudge may damage systems, while those leaving to work elsewhere may try to take confidential data with them.
• Third parties whose systems interconnect with yours may allow hackers and attackers a way into your cyber assets.

And the list goes on… Always consider that there will be some threat or vulnerability that you haven’t thought of yet. Businesses and the business environment evolve constantly, and so must your cybersecurity.

Leveraging threat intelligence

Finally, to keep up with everchanging situations, make the most of threat intelligence from solution providers like Microsoft, as well as from your business sector and government sources. Microsoft collects data from multiple sources including the Microsoft Security Response Centre (MSRC), the Microsoft Digital Crimes Unit (DCU), Azure, Microsoft 365, and other Microsoft applications. This data is then used to in Microsoft solutions to help customers be aware of and better protected from different cyber vulnerabilities. Other tools which can help evaluate the effectiveness of Security controls which the organization may have implemented is Azure Secure Score in the Azure Security Centre and Microsoft Secure Score.

In the second episode of our series, we discuss how to improve confidence in your organisations’ Risk Identification strategy across People, Processes and Technology. We’re excited to be joined by Samantha McLeod of The Security Collective who shares her practical insights on cyber risk identification that you can start leveraging today.