Bad things happen. Whether we’re dealing with our personal or professional business, life seems to always have a variety of bumps and obstacles that pop up in our path. We should anticipate that these disruptions will arise and prepare ourselves to move through them as successfully and efficiently as possible while minimizing the impacts the disruptions cause. In dealing with the wide spectrum of threats that can cause operational disruptions to our organizations – regardless of whether they are health or natural catastrophes, terrorists or cybercrime – a key part of successfully overcoming the impacts of incidents is taking the time to properly prepare. Preparedness can be defined as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response.
In today’s cyber threat environment, it seems many organizations are struggling to determine how to mitigate the array of cyber threats and associated risks they are facing. In a fast paced, frequently changing environment, one could be overwhelmed trying to determine how to prepare for and respond to the attacks and incidents that could arise. But alas! There is hope! While the Preparedness Cycle is often thought of in relation to “traditional” threats – hurricanes, explosives and earthquakes, for example – it is just as valid an approach to take in confronting cyber threats and works just as well to reduce the associated risks and impacts of such events.
But let’s back up. Threats, risks – what are we talking about? Malware, ransomware, cyberattacks, phishing, whaling (did you say whaling?), espionage, insider threats, denial of service, social media… what am I going to do with all these threats?! Or are they risks?
Let’s start with lexicon. Terms matter. So, let’s start with some basic definitions. I like references because then I can blame someone else for the typos… in 2010, the Department of Homeland Security’s Risk Steering Committee developed the “DHS Risk Lexicon” providing sound definitions for a number of key terms. Let’s look at the two most fundamental: Threats and Risks.
- Threat is defined as a “natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property.”
- Risk is defined as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.”
As we try to understand our cyber threat environment, we have to gain an appreciation for the many occurrences, individuals, and entities that have the potential to cause harm. This can be developed in a number of ways and the means by which we gain a sound understanding of the threat environment and how to conduct a risk assessment could be entire blog series’ of their own. For today, we’ll just assume you’re maintaining threat awareness via great resources like SurfWatch Labs’ and Gate 15’s blogs and Twitter feeds … and that you’ve then assessed those threats in relation to your organizational interests and that you’ve developed a prioritized assessment of your risks.
No organization is able to specifically address every threat and risk, nor to address them all as thoroughly as we’d like. By prioritizing our risks, and recognizing that you only have limited time and resources to work with, you can then find ways to “get the most bang for the buck” in determining how to approach preparedness activities. Some risks, you will choose to simply accept. Some will get addressed via insurance. Others will be addressed by using the Preparedness Cycle and a deliberate process of planning, training, organizing and equipping, exercising and evaluating and improving. In the next few installments of this blog series, we’ll take a look at each one of these parts of the Cycle and ways you can progressively reduce your cyber risk via proper preparedness.