As mentioned in the section on the overall cybersecurity risk management process, there are four essential steps in risk management:
After identifying your risks and assessing them (that is, their impact and likelihood of occurring), then the next step is to see what you can do about them – that is, whether and how you can mitigate those risks.
As you can imagine, the type of mitigation depends on the type of threat. If you are threatened by ransomware, then the mitigation measures might involve specialized ransomware virus detection software, as well as training for personnel about dangerous email attachments. If you are threatened by insider attacks, then a completely different set of measures is applicable.
But even before thinking about specific measures, there is another consideration. In cybersecurity, as in life in general, there is a need to balance the application of prevention versus detection and recovery. Often prevention is the best and simplest mitigation measure. To avoid lung cancer, don’t smoke – it’s cheap and effective. But sometimes prevention is either infeasible or not worth the cost. To avoid car accidents, don’t drive – very effective, but generally infeasible.
When prevention is infeasible or too expensive, an alternative measure is to accept the possibility that the incident will happen, but to mitigate the consequences. You have to accept the possibility that one of your disks will crash and lose all of its data – but you can mitigate the consequences through regular backups (recovery).
How do you decide which to adopt? One clue is given by the mix of impact and likelihood. When the impact and likelihood are both high, then a mix of prevention and detection is generally a good idea. But there are also situations in which the impact is high but the likelihood is low. A disk crash falls into that category. In cases like that, the most cost-effective solution is often to concentrate only on detection and recovery.
This approach of combined prevention and detection/recovery is embodied in the NIST Cybersecurity Framework.
The framework helps you to organize your thinking about how to adopt mitigation measures in terms of prevention versus detection/recovery.
The second dimension of mitigation is technical measures versus procedural measures (best practices). Here are some typical recommendations for small businesses, courtesy of the National Institute of Standards and Technology.
It is the mission of cyberwatching.eu to help provide you with the information you need to evaluate the many possibilities for risk mitigation.
At this point, you have the unwelcome task of estimating your residual risk after all of your mitigation mechanisms have been put into place. This is never an easy task, and here, too, the expertise of professionals will be useful for helping to put numbers on the estimated risk. This is also where the growing number of incident databases will help, as the community sees what the costs of cyber incidents have been for organizations and what the costs could be for you due to the residual risk you must confront.