Until recently most cybersecurity efforts focused on prevention, and this created the anti-malware software, firewall and perimeter defense industries. But the fact of the matter is that cyber-attackers are going fly right past your perimeter defense and get into your network via port 80 or 110, firewall ports that are open on every network for email and web browsing. our recommendation is to start managing the consequences of the inevitable security breach. One way to accomplish this is by using the Risk Equation. Risk = Threat x Vulnerability x Cost
Threats are the intentions or actions of malicious actors against your network. A threat, by definition, is an external factor.
Vulnerability is a condition that exists on your network that would provide an attack surface for a malicious actor. A vulnerability is an condition that is internal to your network. When a threat successfully meets a vulnerability, you end up with a breach.
Cost or the consequences of a breach are the damage that is cause to your organization. These costs can include hard costs such as damage to hardware or software, IT staff time, and resources spent on remediation, as well as lost business due to network downtime. These costs are usually monetary. Then there are soft or non-monetary costs, which can include loss of use, damage to your business reputation, decreased customer or public confidence, and loss of business opportunities.
The first step is to identify your assets and engage in a vulnerability assessment of those assets. You may want to contract with an outside cybersecurity firm for this part.
Putting values to these factors will require looking at issues like the likelihood that an attacker would target your business, the value of network assets and stored data, and the weaknesses you discover the last time your company ran a vulnerability assessment. Then take those results and add the known and anticipated threats to find your results for the Risk Equation. A value of zero in any of the three categories will result in zero risk, because when in mathematics anything that is multiplied by zero equals zero.
The results you get from your risk assessment should help you prioritize the where you spend your money and resources first. Going through this exercise will not be easy, especially the last part, but it will help management focus on the most important issues first, and give you a road map to continuing improvement.Share