Adopting A Cyber Risk Management System
By: Ron Frechette, The Cyber Coach
This month we will focus on adopting a cyber risk management system to identify vulnerabilities (aka gaps) within each of the four threat vectors that surround our digital footprints. Having a cyber risk management system in place is vital to help reduce the risks of malware threats and cyber-attacks. This is where the rubber meets the road so get ready for some detailed guidance.
As a recap, there are four threat vectors around the security perimeter of every digital footprint:
- People – Spouses, children, and/or business colleagues having or not having the awareness that these vulnerabilities exist, how they behave when they are confronted by a phishing email and how they respond.
- Processes – Formal policies and procedures in place with best-practice guidelines to decrease threats of cyber-attacks.
- Facilities – Physical controls. Do you have locks in areas of your home or business where sensitive information can be accessed?
- Technologies– Ensuring that the networks and applications you utilize have been properly vetted and can guarantee an acceptable level of security.
The white space we see illustrated in between each threat vector represents potential gaps where cyber criminals can inject malware and/or gain access to our sensitive data.
DREAMSECURE Cyber Risk Management System
DreamSecure is a cyber risk management system we recommend for small businesses mainly because it is easy to understand and implement. It is based on the NIST Special Publication 800-53 (Rev.4), Security Controls and Assessment Procedures for Federal Information Systems and Organizations. The acronym DREAM spells out the five steps in the system.
- Diagnose – The first step is to diagnose our digital footprint by performing a security risk assessment of each threat vector to identify specific vulnerabilities.
- Remediate – Step 2 is to develop a remediate plan to close gaps.
- Engage – Step 3 puts the remediation plan into action and engages managed security providers if needed to assist in closing gaps.
- Audit – Step 4 ensures our remediation plan was executed effectively and helps us determine how to manage residual risk.
- Monitor – Step 5 takes us to continuously monitoring and detecting potential threats to our digital footprints 24x7x365.
Don’t expect to complete all five steps overnight. The average length of time it takes to fully implement this system can be anywhere from six months to two years. Once the initial risk assessment starts, the rest of the steps tend to fall into place fairly quickly. Additionally, you will find with each future assessment the process will flow much smoother, take much less time, and your overall security posture will strengthen year over year in cyberspace.
A Journey, not a Destination
It is important to remember a risk assessment is a “point in time” assessment. The cyber threat landscape is constantly changing. As we have mentioned before, there are over 500,000 new threats being developed daily by cyber criminals. Becoming smart about keeping ourselves safe in cyberspace is a journey, not a destination. The first step is having the knowledge and a sound plan to execute. As a best practice, risk assessments should be completed on an annual basis or if you have a major infrastructure change. Ultimately, we would like to see all the gaps in our digital footprints closed.
It is not a matter of if, but when and how often we will be confronted by cyber criminals who will attempt to wreak havoc on our personal and professional lives. It is important now more than ever that we begin adopting a cyber risk management system that we can rely on to thwart potential cyber-attacks. Wishing you all a safe journey in cyberspace!
Questions? Send me a tweet @GoldskyRon.by