Capping IT Off

Capping IT Off

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

Digital Risk – Why Do We Leave the Front Door Open?

The lure of digital is significant and brings rapid customer scaling, reduced operational costs and revenue growth. Strategies and transformations are abound, however so are the stories for security breaches, hacks and cyber threats.  Digital does open up new threats, but why is the nature and the magnitude of breaches increasing? Why are companies regularly leaving the front door open? The answer lies in our (in)ability to understand risks from first principles.

Digital impacts the operating model, people, processes and technology, so a robust approach to manage risks of change is required. A crucial first step is a digital risk assessment that allows for an eyes wide open approach.

Threat, what threat?

A risk assessment serves to identify the key threats, vulnerabilities and proposed mitigation (controls) for digital change. Understanding this upfront allows relevant mitigations and controls to be embedded into operating models, processes and technology architecture to counter digital threats.

Table 1 illustrates how key features of a risk assessment should be populated, from left to right to classify threats to ultimately identify mitigations and controls.

 

Ref

Threat Vector

Impact If It Happened

I

Current Threat Level

T

Current Vulnerability

V

Overall Risk Rating (IxTxV)

Mitigation/ Control

1

External Cyber:

Data Hack

H

M

M

H

Encrypt sensitive data at rest and transit

2

Staff:

Unauthorised Data download

M

L

H

M

Prevent mass data download via Data Leakage Prevention Technology

3

Processes:

Security policy is not understood

M

H

H

M

Run annual security web training as part of compliance policy

4

IT:

Unapproved software is downloaded

M

L

L

L

Supplement blocking of downloads with an approved ‘white list’

..

..

 

 

 

 

 

Table 1 – Digital risk assessment (extract)

 

Numerous threat vectors can exist and for each one the ratings are provided based on the organisation’s risk appetite. For example impact can include quantified thresholds for financial, reputational, health and regulatory areas. Similarly, threat and vulnerability ratings can be grounded in probability ranges. An overall risk rating then serves to prioritise risks for urgent mitigation through allocation of company resources or budget.

Although external (cyber) threat vectors capture the headlines, a key threat can be internal and such lesser perceived threats may actually present high overall risk ratings for action. The advantage of a structured risk assessment is that all relevant threats are considered and rated.

Control freak

So we now have a prioritised risk to be mitigated and controlled. How do we define a suitable control to mitigate a given risk? Controls can be classified as preventative/ detective and manual/ automated as below.

Fig 1 - Controls classification matrix

 

Preventative and automated controls are favoured. We can illustrate this through the example of driving a car. Would you prefer to have a low fuel warning light in your car (preventative-automated control), or just notice that you have no fuel when you grind to a sudden halt (manual-detective control)? In practice, each threat will dictate the best type of control needed.

Doubly effective

Having identified the type of control required, the next step is to ensure that the control will be effective on two levels.

  • Design effectiveness – the control will effectively mitigate the specific digital threat and risk
  • Operating effectiveness – the control will always be effectively operating or in place

This can be extended to the car analogy. If the fuel sensor light activates only when there is 10ml of fuel remaining, then it is not an effective design, as you do not have enough fuel to reach the next fuel station. Similarly, if the fuel sensor itself has an intermittent fault, then the control is not operating effectively, as you will choose to ignore it.

You now have your risk assessment, control types and control effectiveness. The last step is implementation of controls as part of a digital or risk project. However, digital risk management is not a one off exercise, rather an ongoing activity cycle of assess, address, assure and repeat. The starting point should be an effective and comprehensive digital risk assessment.

Damage limitation exercise

Plan for the worst, but hope for the best.  Despite effective risk management, new or old threats can still materialise. The ability to effectively respond to a digital incident can drastically reduce the impact for companies, thereby minimising damage. To do so, the following strategies should be defined, practiced and be ‘good to go’:

  • Incident management processes
  • Regulatory notifications
  • Public and shareholder relations
  • Regular threat testing and updating of threat vectors

So, we leave the front door open because we don’t understand risks or how to treat them from first principles.

Now that you do understand, go and check whether your front door is open or closed.

To find out more, contact me at subhinder.dhillon@capgemini.com or leave a comment.

About the author

Subhinder Dhillon
Subhinder Dhillon

Leave a comment

Your email address will not be published. Required fields are marked *.