February 2024


Building a Practical Cyber Security Risk Awareness Strategy

Nick Denning, CEO of IT consultancy Diegesis and veteran of multiple public sector IT transformation projects shares his thoughts with GPSJ on what makes a successful risk awareness strategy

Risk management involves identifying, assessing, mitigating, and planning for potential events that could impact a business. This article explores risk management in practice and the priorities for a successful cyber risk awareness strategy.

It emphasizes the dynamic nature of cyber risks and the need for constant vigilance to mitigate risks.

Risk Management in practice

A practical example of risk management is pouring concrete for building foundations. If more rain falls within 24 hours the foundations may be ruined. After identifying the risk, we need to assess the likelihood and impact including costs and delays.

Mitigation activities might include:

  1. Pay for advanced weather forecasting.
  2. Cost of a protective trench for effective drainage.
  3. Obtain insurance costs/lead times.

Contingency planning might identify the cost and resources needed to dig out the foundations and have them ready for a re-pour. This is practical risk management based on an informed decision to deliver the best outcomes for the project.

The difference between Operational and Project Risk

Operational risks are those which affect an organisation carrying out its regular business. Frequency risks are expected to occur on a regular basis and can be predicted. Catastrophe risks are unexpected and might happen only once every 20 years.

Project risks relate to a plan for a particular outcome: external risks might be a new competitor, while delivery risks might be completing the tasks on time, within budget and to the specification.  A Monte Carlo simulation can predict the aggregated risk across all tasks in the project and show which mitigation and contingency tasks may reduce the overall cost.

Cyber Security Risk is an Operational Risk issue

Cyber security risk is an operational risk issue and applicable to projects. Any technology being used or delivered by a project must be designed with security in mind and comply with standards.

An organisation’s defence needs to be balanced so that a major investment in one area is not circumvented by weaknesses in other areas. It also needs commitment at a senior/board level to ensure it is taken seriously across the organisation.

Cyber Security Risk Awareness Strategy

There are significant differences in cyber risks. In traditional risk management, risks tend to change slowly over time. In the cyber world the landscape is far more dynamic.

Data stored by an organisation or department is attractive to criminals. New technology can introduce fresh vulnerabilities to the data. This necessitates a rigorous approach to cyber risk assessment. Potentially every change, patch or upgrade needs to be risk assessed and authorised by the organisation ideally via a Change Advisory Board.

A cyber risk management strategy should acknowledge that some attacks will be successful.  Creating multiple layers of protection with monitoring and alerts can detect a successful attack on one layer to enact contingency plans, defeating the overall attack before the next layer is penetrated.

Effective Risk Awareness

We need to ensure that cyber security risk is constantly in people’s minds and that they are regularly reminded how to recognise threats.

An effective cyber risk awareness strategy needs to include:

  1. Onboarding training including topics in the organisation’s security policy in sections by job function.
  2. Regular exercises to verify staff have understood training and follow policies, with reminders of the consequences.
  3. These exercises need to be interesting and made relevant to each individual.
  4. Re-assessments to the probability/size of impacts need to be communicated when there is a heightened risk level.
  5. Engage everyone to report attacks or near misses to update the threat level and to enable immediate action.
  6. Staff must understand it’s their obligation to report suspected attacks without blame.

The biggest risk is complacency in staff not appreciating the probability of a risk affecting them.

Characteristics of poor risk awareness

The tell-tale signs of a poor risk awareness strategy include:

  • A policy ignored, creating false security
  • No method of detecting attacks
  • No way of disseminating information
  • No effective security officer responding and taking action.
  • No support systems
  • No security assessment process as part of procurement
  • Poor unrefreshed training
  • No testing of users on their training.

Priorities for a Successful Risk Awareness Strategy

The Director of Security must be able to monitor and audit policy compliance and take action if required.

To increase protection, create a ‘White List’ of approved software products/apps. Any other software must be removed. To tackle compliance challenges, use Vulnerability Assessment tools to detect and remove or disable software that is non-compliant, outdated or containing new vulnerabilities.

Deploy a system administration tool enabling administrators to remove the unauthorised software remotely. Taking concrete action makes it evident to employees that failure to follow the policies is unacceptable and that a technology solution will be monitoring and maintaining a secure environment.

For more information please visit: Diegesis Limited

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>




This site uses Akismet to reduce spam. Learn how your comment data is processed.