In a recent blog post we discussed the new NIS2 Directive, whose priority is to increase cybersecurity resilience across the EU. One of the main objectives of the Directive is to introduce stricter requirements on risk management measures.
So, what is cybersecurity risk and how do you manage it? This article explains cybersecurity risk management with special focus on small and medium enterprises (SME).
Table of contents
What is cybersecurity risk?
Cybersecurity risk is the likelihood of data loss, system compromise, or operational disruption as a result of a cyberattack. It is an overarching term that generally includes cyberthreats and cyberattacks.
Types of cyber risks include:
- Cyber criminals—Cyber criminals cause data breaches and perform scams for personal gain, mostly money. Organizations with large amounts of sensitive data and limited security budgets, such as healthcare providers, are at a high risk from cyber criminals (cf. the PharMerica data breach).
- Hacktivists—Hacktivists compromise the systems of organizations to make a political statement or advance a cause. The hacker group Anonymous is one of the best known hacktivist movements operating today.
- Nation states—Governments all over the world spy on rival states and sometimes sponsor hacker groups to conduct direct attacks against political figures and organizations. Recently, the Russia-sponsored APT29 group was found to target institutions across EU and NATO countries.
- Software and hardware vulnerabilities—Hackers are constantly looking for flaws in software and devices that allow them access or control over systems. Recently a hacker gang exploited printers to attack schools with ransomware.
- Inadequate security and misconfigured devices—Weak passwords, open ports, or sending data over unsecured networks are major risks for organizations with a large number of remote employees.
- Low cybersecurity awareness—Uninformed or overly trusting employees can become carriers of cyberthreats by neglecting security procedures or falling for a scam.
Cybersecurity risks are constantly evolving and adapting to bypass the security measures that people and organizations use against them.
What is cybersecurity risk management?
Cyber risk management is a continuous process of identifying and analyzing threats, and implementing and reviewing security countermeasures.
Its goal is to prepare the organization for future cyberattacks and mitigate their impact.
In general, cybersecurity risk management is a cycle of five stages:
- Inventorize assets—What resources is your business using and how critical are they?
- Identify risks—How can your assets be attacked and by whom?
- Assess risks—How real is the threat each risk is presenting?
- Mitigate risks—What do you have to do to counter the threat and reduce the risk?
- Monitor and report—How consistent are you in your policy and what incidence of threats have you seen?
Cybersecurity risk management is essential for any organization handling sensitive data; e.g., personal information of clients or company know-how. The cyberthreat landscape is expanding and new risks emerge year by year. Understanding the full scope of the risks they face allows businesses to proactively implement effective measures.
An effective and well-maintained risk management strategy can help businesses:
- Defend against cyberattacks
- Protect their assets and data
- Preserve their reputation
- Reduce recovery costs
Legal context of cybersecurity risk
Governments around the world are also aware of cyber risks threatening their citizens, institutions, and businesses operating in their countries. In response, they are investing in cyber defense and passing legislation to reduce cyber risks within their borders.
Examples of such legislation include:
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 enacted by the US Congress that regulates the flows of personally identifiable information in the healthcare industry in the US.
- The General Data Protection Regulation (GDPR) of 2016 that deals with the processing of personal data of EU citizens and entities.
- The California Consumer Privacy Act (CCPA) of 2018 that protects and regulates the handling of consumer data in the state of California in the US.
- The Directive on Security and Information Systems (NIS) of 2016 (and updated by NIS2 of 2023) that seeks to increase the overall level of cybersecurity in the EU.
The NIS2 Directive is the freshest addition among major data regulations. Though it still remains to be seen how the Directive will be implemented in each EU member state, you can expect a push towards cybersecurity focus among a broader scope of European businesses, as the Directive obliges more entities and sectors.
The Directive also pays special attention to supply-chain security, which concerns small and medium enterprises directly, as they often rely on third-party contractors and suppliers, and/or are service providers themselves.
This means even smaller enterprises will now have to take their cybersecurity more seriously and implement measures to reduce their cybersecurity risk.
How do you manage cybersecurity risk?
Cybersecurity risk can never be completely eliminated, but it can be reduced. Here are a few strategies that businesses can employ to increase their cybersecurity posture and reduce risk:
- Put a security policy in place—Develop a comprehensive policy that outlines procedures that employees need to follow. This includes practices on data protection, password management, and incident reporting.
- Employee training—If you want your policies followed, you need to conduct regular cybersecurity awareness training to educate employees about inappropriate data handling, common threats (phishing and malware), teach strong password management, and promote secure remote work.
- Regular updates—Ensure that all operating systems, business applications, and software have the latest security patches and bug fixes. Enable automatic updates (where available) to minimize the risk of vulnerabilities being exploited.
- Adopt zero trust network access—Zero trust is one of the security approaches recommended by the NIS2 directive for pan-EU cybersecurity risk reduction.
But not all organizations face the same challenges when managing cybersecurity risks.
Small and medium enterprises (SME) abide by different circumstances that determine how they can defend themselves against cyberthreats.
The unique predicament of SMEs consists of the following challenges:
- Small security budget—SMEs usually have fewer resources to spare on cybersecurity, which denies them access to advanced security technologies or hire dedicated security staff. As a result, they may rely on rudimentary security countermeasures only, something cybercriminals have learned to exploit.
- Lack of cybersecurity expertise—Hand in hand with budget constraints, SMEs often lack trained cybersecurity staff and spend less effort on cybersecurity awareness training. Some may become complacent as being “too small to be a target”. This means they tend to be less diligent in observing cybersecurity best practices.
- Large attack surface—SMEs often rely on dispersed and third-party vendors, which increases the number of exploitable points of entry. Remote employees connecting via unsecured networks represent a particularly easy target.
- Supply chain risks—Many SMEs rely on external suppliers and contractors for various aspects of their operations. However, these external resources are beyond their ability to secure and represent an additional security risk.
At the same time, more SMBs are now falling victim to cybercrime as cyberattackers turn on them as valid targets. According to Verizon’s Data Breach Investigations Report, 43% of cyberattacks now target small businesses.
The question is, how can SMBs overcome these challenges and successfully manage their cybersecurity risks?
The answer is zero trust network access (ZTNA) as a service.
What is ZTNA-as-a-service?
ZTNA-as-a-service (ZTNAaaS, SaaS ZTNA) is a modern solution to reducing cybersecurity risk and increasing cyber resilience of organizations in the everything-online age.
In the past, deploying ZTNA was the domain of large organizations due to the cost and complexity of implementing robust identity provisioning, network segmentation, and access controls, but modern ZTNA solutions, like GoodAccess, provide all these as a cloud-delivered service.
This means that any organization, regardless of its size, can now deploy ZTNA in its IT environment without any hardware investment, even without a trained IT specialist on staff.
How do you choose a ZTNA-as-a-service solution?
The ZTNA market is developing rapidly, and it’s impossible to say, “This solution is the best,” at the moment. The choice of a ZTNA solution depends on the needs of the individual company.
GoodAccess is a ZTNA-as-a-service tailored to the needs of small and medium enterprises. It has features like network encryption, segmentation, and strict-user authentication to successfully reduce cybersecurity risk and comply with regulations.