Menu

Call us on 03450 21 21 51

How well do you really understand your risk posture?
The SRM Blog

How well do you really understand your risk posture?

Claire Greathead

Written by Claire Greathead

27th August 2020

Share this article

risk posture

With the huge increase in remote working in recent months, new opportunities have opened up to cyber criminals. Organisations of all sectors and sizes are under threat and it is now more important than ever to update your cyber security risk posture. Not only should it include all your existing policies and controls (and how effectively they protect your digital assets), your risk posture also needs to include the use of mobile devices and remote network access.

But first, risk posture needs to be fully understood for it to be an effective strategic driver for change. And here’s the thing. The term ‘risk posture’ is sometimes misunderstood. It can be confused with risk assessment or risk management but it is actually more holistic in concept than either of these.

Risk posture is not a ground level view, but the view from the bridge, where you can see everything laid out before you. From an elevated vantage point you have a unique view of the data security maze, with your most sensitive and valuable data at the centre. From here you can evaluate the effectiveness of your barriers but you can also see the holes where vulnerabilities lie, the possible pathways a determined hacker could exploit and the shadows around the perimeter which represent threats.

So, what should you consider when evaluating your risk posture? Here are a few points to consider:

 

Identify your assets and where they are located

Start at the centre of the maze, by identifying your digital assets and grade them in order of value and sensitivity. These are likely to be the targets of a potential hack so consider what they are and what the impact their loss would have on your operational, financial and reputational future. It is important to know exactly where and how these assets are kept and trace how they could be located through network devices, databases, phones, webservers, cloud applications and critical infrastructure. If data assets can be accessed via mobile devices and home-based computers, this needs to be identified too.

 

Be aware of the threat landscape

It is impossible to predict the likelihood of a breach, but it is reasonable to assume that most organisations will be scrutinised by hackers and will be subject to an attack of some description. Those responsible directly for data security should have a high-level knowledge of the current threat landscape – constantly updating their knowledge as new threats evolve – and always ensure that patches and updates are installed.

Co-operating and collaborating with other companies in your sector over threat intelligence will help everyone to build a picture of the latest strategies being employed.

 

Be realistic about who will be targeted

It is often said that the human element is the weakest link in the cyber security chain. That is because individuals can potentially be duped through social engineering attacks or phishing emails into divulging access information, opening up a system to a potential hacker. Yet, although employees are often the first line of defence, a recent survey revealed that C-level executives are 12 times more likely to be hacked. Another report, which surveyed more than 6,000 infosec security professionals, found that 57% of them said that it is the key executives who are least likely to comply with a company’s security policy. Education and training therefore need to recognise this and actively engage senior staff.

 

Establish responsibility – the buck stops here

All too often, data security is seen as the responsibility of the IT team. But passing the buck can lead to a lack of support, resource and understanding of the risk. Data security is the responsibility of each and every individual within a company, but it is the responsibility of the board to ensure that it is prioritised. The CEO of an organisation is ultimately responsible for the security – and it is often important to emphasise this point as it can help to focus the attention of a business leader or leaders.

Cyber risk modelling can illustrate the broad business impacts a cyberattack can have, from the immediate repercussions of the breach through to the long-term financial consequences. This can be used to ensure buy-in from all board members and promote a positive security culture across all departments. By including data security on every board agenda, it will ensure that it is constantly monitored and regularly reviewed.

 

Risk assessment

Identifying and grading risks and potential weaknesses will help to determine what actions need to be taken first and which will have the most impact on improving cybersecurity posture. Conducting a risk assessment will show how your security policies work across your operating systems and will provide strategic guidance on what steps need to be taken to mitigate the risk. As your cyber security posture strengthens your risk should decrease.

 

Taking action

Your risk posture is where you currently are in terms of data security. It is not, however, fixed and should be constantly reviewed, improved and updated. Engaging with a professional consultancy with wide experience of the evolving threat landscape, expertise in developing security strategies and the knowledge to implement these effectively can significantly enhance your risk posture.

 

SRM’s Managed Security Service (MSS) provides a 24/7 resource, 365 days a year to businesses of all sizes and sectors. We can add value by providing support and resource to an existing information security team or manage the whole process on your behalf in a extremely cost-effective way.

Want to know more? Call us on 03450 212151 or drop us a message here.

 

 

Back to top