{"id":7303,"date":"2023-08-03T12:50:36","date_gmt":"2023-08-03T11:50:36","guid":{"rendered":"https:\/\/www.gpsj.co.uk\/?p=7303"},"modified":"2023-08-03T12:50:48","modified_gmt":"2023-08-03T11:50:48","slug":"building-a-practical-cyber-security-risk-awareness-strategy","status":"publish","type":"post","link":"https:\/\/www.gpsj.co.uk\/?p=7303","title":{"rendered":"Building a Practical Cyber Security Risk Awareness Strategy"},"content":{"rendered":"

Nick Denning, CEO of IT consultancy Diegesis and veteran of multiple public sector IT transformation projects shares his thoughts with GPSJ on what makes a successful risk awareness strategy<\/em><\/strong><\/p>\n

Risk management involves identifying, assessing, mitigating, and planning for potential events that could impact a business. This article explores risk management in practice and the priorities for a successful cyber risk awareness strategy.<\/p>\n

It emphasizes the dynamic nature of cyber risks and the need for constant vigilance to mitigate risks.<\/p>\n

Risk Management in practice<\/strong><\/p>\n

A practical example of risk management is pouring concrete for building foundations. If more rain falls within 24 hours the foundations may be ruined. After identifying the risk, we need to assess the likelihood and impact including costs and delays.<\/p>\n

Mitigation activities might include:<\/p>\n

    \n
  1. Pay for advanced weather forecasting.<\/li>\n
  2. Cost of a protective trench for effective drainage.<\/li>\n
  3. Obtain insurance costs\/lead times.<\/li>\n<\/ol>\n

    Contingency planning might identify the cost and resources needed to dig out the foundations and have them ready for a re-pour. This is practical risk management based on an informed decision to deliver the best outcomes for the project.<\/p>\n

    The difference between Operational and Project Risk<\/strong><\/p>\n

    Operational risks are those which affect an organisation carrying out its regular business. Frequency risks are expected to occur on a regular basis and can be predicted.\u00a0Catastrophe risks are unexpected and might happen only once every 20 years.<\/p>\n

    Project risks relate to a plan for a particular outcome: external risks might be a new competitor, while delivery risks might be completing the tasks on time, within budget and to the specification.\u00a0 A Monte Carlo simulation can predict the aggregated risk across all tasks in the project and show which mitigation and contingency tasks may reduce the overall cost.<\/p>\n

    Cyber Security Risk is an Operational Risk issue<\/strong><\/p>\n

    Cyber security risk is an operational risk issue and applicable to projects. Any technology being used or delivered by a project must be designed with security in mind and comply with standards.<\/p>\n

    An organisation\u2019s defence needs to be balanced so that a major investment in one area is not circumvented by weaknesses in other areas. It also needs commitment at a senior\/board level to ensure it is taken seriously across the organisation.<\/p>\n

    Cyber Security Risk Awareness Strategy <\/strong><\/p>\n

    There are significant differences in cyber risks. In traditional risk management, risks tend to change slowly over time. In the cyber world the landscape is far more dynamic.\"\"<\/a><\/p>\n

    Data stored by an organisation or department is attractive to criminals. New technology can introduce fresh vulnerabilities to the data. This necessitates a rigorous approach to cyber risk assessment. Potentially every change, patch or upgrade needs to be risk assessed and authorised by the organisation ideally via a Change Advisory Board.<\/p>\n

    A cyber risk management strategy should acknowledge that some attacks will be successful.\u00a0 Creating multiple layers of protection with monitoring and alerts can detect a successful attack on one layer to enact contingency plans, defeating the overall attack before the next layer is penetrated.<\/p>\n

    Effective Risk Awareness<\/strong><\/p>\n

    We need to ensure that cyber security risk is constantly in people\u2019s minds and that they are regularly reminded how to recognise threats.<\/p>\n

    An effective cyber risk awareness strategy needs to include:<\/strong><\/p>\n

      \n
    1. Onboarding training including topics in the organisation\u2019s security policy in sections by job function.<\/li>\n
    2. Regular exercises to verify staff have understood training and follow policies, with reminders of the consequences.<\/li>\n
    3. These exercises need to be interesting and made relevant to each individual.<\/li>\n
    4. Re-assessments to the probability\/size of impacts need to be communicated when there is a heightened risk level.<\/li>\n
    5. Engage everyone to report attacks or near misses to update the threat level and to enable immediate action.<\/li>\n
    6. Staff must understand it\u2019s their obligation to report suspected attacks without blame.<\/li>\n<\/ol>\n

      The biggest risk is complacency in staff not appreciating the probability of a risk affecting them.<\/p>\n

      Characteristics of poor risk awareness <\/strong><\/p>\n

      The tell-tale signs of a poor risk awareness strategy include:<\/p>\n