Cybersecurity risk management applies the concepts of traditional risk management to digital systems and infrastructure. It is quite similar to traditional risk management in that it identifies potential risks, assesses their impact and crafts strategies, frameworks or plans that allow the organisation to respond effectively to cybersecurity-related risks that may materialise. Cybersecurity attacks can compromise the firm’s systems, steal confidential data and damage its reputation. Such attacks are growing in severity and volume; hence the growing need for cybersecurity risk management. Most firms view anything ‘cyber’-related as the responsibility of the IT department, but every employee in the organisation needs to be aware of the potential risks of cyberattacks, and be responsible for preventing security breaches.

Cybersecurity risk management should take into account not just hardware and software but human factors as well. User awareness training is pivotal in any cybersecurity management plan. However, not all risks, even if identified in advance, can be eliminated. Recognising that these risks exist, and taking steps to put mitigative measures in place, may reduce the harmful impact of such attacks. Most organisations today have an online presence, and are thus vulnerable to attack at any time. Best practices and standards abound when it comes to cybersecurity risk management, but there are a number of steps which must be taken to ensure security measures are effective on a continuous basis.

One of the first things to consider when planning cybersecurity risk management is the need to develop a cybersecurity-focused culture throughout the organisation, from the reception desk to the board room. Also, having a cybersecurity risk management framework in place makes it easier for organisations to identify what processes they need, and to synchronise or align their systems securely with third-party vendors or contractors when required. Frameworks are usually determined by the standards adopted by industry or as established by the firm itself. Some examples adopted by industry include ISO 27001/27002; the Factor Analysis of Information Risk (FAIR) framework; National Institute of Standards and Technology Cybersecurity Framework (NIST CSF); and Center for Internet Security (CIS) Controls.

Organisations should also make it a point to set a cybersecurity risk management policy for everyone to follow. Employees should be trained to know exactly what type of data should not be shared, and who to contact if they suspect system breaches or security threats. Other considerations for cybersecurity risk management include prioritising cybersecurity risks, emphasising speed of response, and practising cyber hygiene. Risks need to be prioritised in terms of probability and impact level so that security preparations can be made accordingly. When it comes to risk containment, speed is imperative; an immediate response is required when a security breach or cyberattack occurs. The longer the time taken to address the threat, the more damage may be done.

Implementing good cyber hygiene is considered by many as the starting point for cybersecurity risk management. This will entail daily routines, good behaviour and occasional check-ups – very similar to personal hygiene recommendations – to ensure the company’s online health. Together with this sort of practical approach is the need to pay attention to the firm’s threat environment as there are always new threats to look out for. Cyberattacks are rarely random, although some firms suffer as the result of being collateral damage. Hackers and other cybercriminals often gather information from public platforms and social media before attacking.

Any change in regulations may also affect the threat landscape; policies therefore need to be changed accordingly. Any policy or framework should also incorporate diverse views as diverse perspectives could help identify more risks and solutions. This should be extended to include third-party vendors as cybersecurity risk management is not confined to internal parties, assets or technology.