As soon as the severity of the COVID-19 outbreak was recognised by world leaders, a widescale shift to remote working for many office workers rapidly increased the pressure on cybersecurity teams.

Before entering this “new normal” in 2020, most cybersecurity teams would typically have been used to guarding an organisation’s infrastructure, analysing weaknesses, and locking down IT assets to seal any gaps. Being able to pin down which IT assets are critical is the priority for these teams and it is an ongoing challenge to determine what threats are ‘inside’ and ‘outside’ the organisation.

However, following the sudden transition of working remotely, distance learning, and the great dependency and use of digital solutions, the risk landscape has grown exponentially. Due to a surge in the number of people connecting to virtual meetings from their homes, the cyber risk posture has shifted as threat actors are now targeting attacks on video conferencing calls and VPN traffic. The number of spear-phishing scams are also on the rise as employees are more likely to fall for seemingly legitimate emails from bad actors intending to penetrate the organisations and steal information and assets.

The threat to an organisation’s processes, people and technologies has certainly intensified which has heightened the importance of companies being on high alert, but how can cybersecurity teams remain vigilant in these challenging times?

Importance of quantifying risk

From restricting access to tightening configurations based on recommended security settings or separating networks to sequester sensitive information - remediation comes in many different forms. However, cybersecurity teams must be able to understand which remediations to prioritise and where to apply often scarce resources to lower risk by closing gaps.

A fast-emerging best practice in IT, security and cyber programmes is risk quantification. This practice involves the creation of an operating risk score, which can be based on multiple factors, and in the context of business processes, current events and possible future events, network use and user behaviours with characteristics of data.

Once fully established, cybersecurity teams can continue to adjust and finetune the algorithms producing the scores so ideally, it produces a forward-looking view based on changes in the external environment, business processes and technologies.

Strive for a 360 view

It is essential that operational risk, resilience, and cybersecurity teams are on the same page and have a top-down, bottom-up 360 view of risk to recommend the best mitigation investments. Striving towards a common risk score is important to ensure teams are aligned in their techniques and methods.

A top-down view looks at information from the business with a focus on finances, rather than just the time it takes to return to operations (RTO) or a recovery point objective (RPO). RPOs and RTOs are usually used to measure resilience through business impact assessments (BIAs) and are insufficient on their own for risk quantification.

Cybersecurity teams can work closely with the operational and resilience teams to look at the inherent and residual risk within a high priority business process. For instance, operational risk teams understand concepts such as annual loss expectancy and can place a value on the criticality of a process with a real fiscal cost.

A bottom-up perspective requires security and cyber teams to map the threat and vulnerabilities to assets that support critical business processes. Their aim is to estimate the real cost of mitigating vulnerabilities, which can include actions like strengthening access controls, patching software, replacing an unsupported application, outsourcing apps to a third-party operating in the cloud and much more. However, if this were the sole view, there would be limited options.

It is only through merging the risk score with a top-down view and a bottom-up perspective that cyber teams can assess one, or a combination of, mitigation strategies for in-depth optimal defences and with an understanding of the investment required to deliver the mitigation.

In conclusion

By using risk quantification and having a 360 view, organisations can improve their insight, agility, and speed in achieving remediation. With the use of scores, cybersecurity teams can compare a forward-looking risk with economic investments to mitigate against the financial impact, and efforts can then be prioritised depending on the risk quantification score and the monetary magnitude of impact.

As our digital world and cyber programmes continue to develop and evolve throughout the pandemic and beyond, our security and cyber teams need to remain vigilant and continue to carefully deploy and refine risk quantification methods as a scalable discipline to ensure they continue to invest in the correct areas.