Risk factors are internal or external threats to the security posture of an organization that can pose a risk to the organization if not monitored or handled properly.
Vulnerabilities can be exploited by attackers and result in lack of data integrity and/or loss, theft, and destruction.
Minimize risk by: Patching to mitigate vulnerabilities, vulnerability and virus scanning, monitoring aging infrastructure.
Properly identifying the threat landscape is critical to determining risk. This accounts for cyber threats, insider threats, brand reputation threats, domain-based threats, and third-party threats.
Minimize risk: For insider threats, invoke separation of duties so that one employee does not have privileges over too many business processes; keep employees happy with good benefits, decent pay, reasonable working hours, and training for the position and organizational security.
Brand threats: If an incident were to occur, customers could be vulnerable, business could be lost, profits could decrease. Therefore, there should be a plan in place for incidents or disasters.
3. Policy and Plans
Proper policies must be in place to account for these threats and hold personnel accountable for taking the necessary steps and precautions. Disaster recovery plans (DRPs) should be in place for a disaster, as well as other plans for incidents such as an incident response (IR) plan.
Minimize risk by: Getting managerial and executive buy-in, routinely testing plans, and updating policies.
Endpoints that store the data pose a great risk to the company if the device is stolen or lost.
Minimize risk by: Encrypting hard drives and having software to remotely wipe devices, tracking the devices, managing and accounting for hardware, and properly destructing hardware at end of life.
Having too much data and not analyzing it properly for risk can be a danger to the business. Also, if anything happens to the data, specifically PII or PHI, there can be legal, state, local, or federal ramifications.
Minimize risk by: Following proper protocols for the data stored on the network, managing endpoints and inventory appropriately, minimizing vulnerabilities.
An organization can perform a cybersecurity risk assessment to determine the cybersecurity risks. Once these risks have been identified, an organization must determine how to handle the risks (risk avoidance, acceptance, mitigation, control, monitoring, and transfer).