Introduction
In this article, we are going to look at risk. The most general definition of risk is:
"Expose (someone or something valued) to danger, harm, or loss."
In business, there is a need to look at Risk in terms of general operations i.e. what risks does your environment posse to your business? what risk do your competitors pose to your product? e.t.c. Eventually, they come up with a department or a part of their business structure that performs risk assessment namely Risk Management.
Modern-day businesses largely depend on Information Technology. Having noted that, it brings us to one key thing, the internet of things (IoT). By definition, the Internet of things refers to the connection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data. So in this article, we are going to discuss 'risk' in the context of cybersecurity. If we look in today’s business operations a lot of information is being carried via the Internet of Things (IoT) and the future looks to be (IoT) based but have we prepared ourselves for the risk that this development bears?
The Risk in Cybersecurity?
We cannot talk about risk without identifying the threats that surround doing business using today’s technologies i.e. IoT. Since 2016 and probably a few years before that, most businesses have chosen to move their information on the cloud and to date, a lot of organizations continue to do that. In modern-day business, you find a lot of transactions, orders, reports, etc., is done over the internet. What is interesting about this change is that not much has been done to initiate cybersecurity as a risk factor in the upcoming changes. There is a dire need for organizations to review cybersecurity in their corporate boards and involve financial analysts such that cybersecurity risk is viewed as an imminent and paramount business risk. The consequences of cybersecurity risk can be damaging to business revenues and brand reputation, resulting in business closure or job loss.
Exposure to these risk factors come as organizations thrive to improve their market performance or remain relevant and in touch with the trending technologies and this includes globalization, mergers, and acquisitions, an extension of third-party networks and relationships, outsourcing, adoption of new technologies, movement to the cloud or mobility. All these factors have pushed cyber risk at the intersection of business risk, regulation, and technology.
In this paper, we are going to try and point out some of the key features that businesses should revise and incorporate in their cyber risk assessment.
Definition of Cybersecurity Risk
From the general definition of risk given above, we can specify the following definition:
“Cybersecurity risk is the exposure to harm or loss resulting from intended or unintended breaches or attacks on information systems.”
Some of the threats associated with cybersecurity include, but not limited to:
Data Breach
Data breaches mostly occur either internally or externally and are sometimes intentional or unintentional. They may also be a result of some unchecked security measures during an upgrade such as moving data to the cloud. Therefore there is a need for organizations to cross-check their cloud service provider before tampering with any data.
Internally, the organizations should make sure that all personnel is well trained in terms of maintaining data security such that no mishaps may occur which may end up being costly. Above all, organizations should ensure that they have the necessary security tools and policies in place to avoid external data breaches from attackers. Tools such as Web Application Firewall (WAF) and Intrusion Prevention System (IPS) should be put in place such that there is dependable data security.
If this not recognized the organization is at an obvious risk of losing classified data and in the end losing a lot of customer trust and suffer a brand reputation damage.
Networking
The list below shows some networking issues which may result in a critical security breach,
- No network security parameters to restrict DNS or HTTP outbound requests.
- Lack of input validation on a web application.
If an organization’s network has these weaknesses it translates to an obvious risk because a malicious attacker can easily use an injection to get data to his desired site without the affected organization unless the attacker reveals the information as a form of attack.
Cloud abuse
Without adequate authentication and registration processes, the cloud is susceptible to junk emails, criminal activities, and all sorts of malicious attacks. Stronger methods such as the use of SSL may be required to make sure that all sensitive data is encrypted just in case the data is intercepted by a third-party. SSL ensures that all data is encrypted and to a third party the data does not make any sense at all.
Single Factor passwords
Single-factor passwords are a large security risk and they give intruders easy access to data. Organizations may need to have a strong password policy that requires a certain unique pattern such as the use of upper and lower-case letters, numerals, and special characters such that intruders may not use brute force to easily crack the passwords.
The use of multi-factor passwords limits the risk of intruders gaining access to web applications or websites.
Internet of Things (IoT)
In as much as the Internet of Things has become a popular way of doing business and very useful, its security is still a risk when proper authentication is not used on passing data traffic from one device to another. Firewalls may be used to monitor data traffic because Web Application Firewalls inspecting incoming and outgoing data traffic and these can be implemented to reduce the risk of losing data.
Shadow IT
Software that is used by the organization but is not supported by the organization’s central IT system can be referred to as Shadow IT. Such software systems are susceptible to hacking as they may be used in many other organizations and hackers have time to look into them and devise ways to compromise their functionality. Once this is done reparation can be costly and yet they will still have a lot to recover in terms of the lost data.
Insider Threats
Unsuspected insiders can be a great threat to the organization's security. Organizations need to ensure that their applications can monitor and track user's activities for security reasons. Organizations need to properly train their staff in terms of handling data. Another risk may be ex-staff members, organizations need to make sure that they constantly change necessary passwords whenever employees leave the company lest they risk being compromised by former employees.
Hacking
Hacking is a common practice nowadays and organizations need to make sure that they monitor incoming and outgoing data traffic. The use of WAF and IPS is advisable as this will reduce hacking risk.
Computer Virus attacks
Computer viruses/malware attacks can be as a result of removable media, file sharing, bundled free software, and the lack of internet security. To mitigate malware attacks the organization may need to ensure that proper Anti-virus software is installed on all machines and users make use of recommended removable media which will have been properly scanned and checked for malware internally.
Conclusion
Organizations and individuals need to factor in cyber risk before and after they deploy their websites and applications which handle data. Cyber risk can have serious implications if not considered. To handle cyber risk organizations need to realize the costs of managing the risk through implementing countermeasure visa-v the consequences attached to the risk. The consequences of cyber threats can damage the organization's reputation as well as cause distrust as well as have huge financial implications.