Cybersecurity risks can be realized through risk identification exercises, but what about unrealized cybersecurity risk?
Start with a Risk Assessment
As your company builds a cybersecurity program, a lot of learning occurs. Mostly in the form of realizations about your current configurations, inventory, and/or procedures around cybersecurity. Many of these realizations come from a Risk Assessment exercise. To be clear, here are a few things that a Risk Assessment is and is not.
A risk assessment is not:
- A series of yes or no questions
- A gap analysis
- A sole determination of will you get hacked or not
A risk assessment is:
- An exercise in the uncovering the reality of your cybersecurity posture
- A consideration of the likelihood of a successful attack as well as a consideration of impacts an attack would have
- Useful for planning where to put your cybersecurity focus, resources, and efforts
As you can see, a risk is assessment is just that, seeing. As critical as a Risk Assessment is to see your company’s cybersecurity posture, it’s not a silver bullet. This is why we have to perform recursive cybersecurity and defense in depth. More on these topics at a different time, but in short, it means building multiple layers of protection and not relying on a single defense.
Assessing Risk is Difficult
If you go read the NIST Special Publication 800-30 Rev 1, around risk assessments you’ll see how convoluted the document and process can be. Actually, the guiding document is 95 pages of very technical discussions around risk, likelihood, impact, confidentiality, integrity, availability, and many other cybersecurity concepts. So why is that important? It’s important because it reflects how deep the Risk Assessment process goes. And despite all this depth and effort, your company will still have what we at Rhodian call “Unrealized Risks”. These are the risks that won’t show up in a risk assessment, but can still have a major influence in your likelihood and impact of an attack. So why do unrealized risks exist? They are often difficult to quantify and qualify.
Let’s talk about unrealized risks more
At Rhodian, we don’t just repeat buzz words and key phrases without context or meaning. Instead, we take time to consider these topics and how they apply to our clients’ needs. While doing such an exercise, we discovered a new concept that we haven’t heard other cybersecurity organizations discussing. So, what exactly is an unrealized risk? We’ll take a stab here at defining it for you.
An unrealized risk is a hidden risk that exists in your environment which falls outside the realm of something quantifiable, qualifiable, and may evade traditional cybersecurity assessments and exercises. In our opinion, these unrealized risks are or often turn into cybersecurity incidents. Although there are too many to cover in this post, here are a few that stood out.
Unrealized Risk 1: Unmanaged devices, accounts, and platforms
As a business grows it often adds technology to support that growth. Including adding users to cloud-based services, platforms, and assigning them devices. Keeping track of these devices can help reduce your risk to ensure nothing becomes unmanaged. From our experience as cybersecurity experts, unmanaged, unknown, and forgotten devices, platforms, and accounts have become the subject of computer forensic investigations. Think of that JBOSS server that was stood up for a service, but the IT manager got distracted and the device remains unmanaged for many years. These events occur often. This unrealized risk is difficult to realize because it takes a close eye and a well developed recursive process to keep track of inventory and systems. This unrealized risk falls within our unrealized risk category: Missing Intel
Unrealized Risk 2: Binary Thinking
For this example, you or your mindset can be the risk or increasing the risk. If you’ve ever sat in one of our presentations, you’ve heard a discussion about the words risk and secure. Secure being, a well-intended, but a misleading way to think about cybersecurity. Making cybersecurity decisions without considering the likelihood and impact of that decision can become problematic. Instead, we encourage calculating risk and prioritizing risks. Secure offers only two choices, secure or not secure. Risk offers a range of possibilities and outcomes, which more accurately reflects your cybersecurity reality. Binary thinking and decision making is an unrealized risk because the decision-maker is operating under the assumption that something will not get hacked, while also ignoring the impacts it could have if they are wrong. This unrealized risk falls within our unrealized risk category: Mindset Restrictions
Unrealized Risk 3: Blind Trust
Blind trust means subscribing to the services or platform of an IT or cybersecurity provider without properly vetting the capabilities of the provider and platform. Often, we hear “Our IT provider handles our cybersecurity.” That’s great if it’s true, but more often than not, we find that it is not. As a business owner or manager of a cybersecurity program, the responsibility of due diligence and due care falls squarely on the company. Although an IT provider may tell you they manage cybersecurity, it’s your responsibility to check. Without checking, we have an unrealized risk. This unrealized risk falls within our unrealized risk category: Guidance and Advice
At this point it’s clear, unrealized risks may exist in your environment. Start with a Risk Assessment to uncover cybersecurity risks. Protect against Unrealized Risk through Security Program Development, Vulnerability Scanning, and other risk identifying and reducing exercises with Rhodian. Want to start uncovering some of your risks right away? Reach out to hold an educational discovery call.
