1. Understand the biggest risks to your organisation
Home | Understand the biggest risks… | Plot the paths of possible cyber… | Map controls against… | Determine your appetite for cyber risk | CRQ checklist
Perfect cyber security doesn’t exist. Organisations simply don’t have enough time or money to stay on top of all the risks. That means it’s important to identify the biggest risks to your organisation and focus on those. To do this, follow this three-step process:
1. Consequences. The starting point is to understand the potential consequences from a cyber threat. There are the immediate, direct impacts such as operational disruption, financial losses, the cost and resources needed to respond, the loss of data. But there are also indirect impacts that stem from the initial incident – like regulators stepping in, damage to brand perception, and loss of customers. If the incident is serious enough, then organisation’s executive management is now distracted and is not pursuing strategic goals with full attention.
2. Assets. The next step is to identity what it is that you need to protect. We do this through evaluating what is most important to our organisation’s survival and competitive advantage. Examples could be our business model, our data, a service or product provided.
3. Threats. You’ll also need a stronger understanding of the current threat landscape. We do this through assessing the cyber threat scenarios that would cause significant loss or disruption to our organisation.
There’s a wealth of content that’s being shared on an almost continuous basis on what the cyber threat landscape looks like. The trick is to pick out the sources you need, in a format that’s easy to understand – otherwise, it can be easy to become overwhelmed with data and technical jargon.
From here, you can start to identify the types of cyber risk scenarios most relevant to your organisation.