How do companies assess risk? It's a system-by-system question

If the security community learned anything from the SolarWinds cyberattack, it was that threat actors do a better job assessing where to find vulnerabilities than cybersecurity teams do at assessing risk.

This was a supply chain attack, where one company was hacked in order to bring chaos to other, often bigger, businesses.

In this case, a network management software program was compromised, which allowed hackers to gain access to the email systems of government agencies and wreak havoc against the systems of large tech firms like FireEye and Microsoft.

Even though there is greater awareness of the weaknesses in the network management supply chain due to the SolarWinds attack, organizations are 82% more likely to suffer a similar attack through a vendor email compromise, according to research conducted by Abnormal Security.

Risk is everywhere, but some companies are more proactive at identifying potential risk than others. For example, Biotechnology company Amgen included SolarWinds on its list of risk factors in its most recent earnings report, even though it does not use the technology.

Every piece of software, every piece of technology, is vulnerable to threat actors, but each organization and cybersecurity team decides what software and technology adds risk to its business operations.

"Risk is a metric that is hard to define as it varies for each organization," said Charles Ragland, security engineer at Digital Shadows.

Risks vary from environment to environment, influenced by a number of different factors, such as the users, the software and supply chains, and the decision-maker's risk tolerance.

What is risk?

Cyberrisk is hypothetical. It is based on the potential financial, reputational or operational damages that would result due to a cyber incident to the organization.

"Risk assessment typically includes risk identification and quantification, both in terms of probability and severity," said Rajeev Gupta, co-founder and chief product officer at Cowbell Cyber.

Risks are often evaluated on a system-by-system basis that accounts for not only the technology but also users' behavior and the value of the system as an asset to the business.

No risk assessment will be the same from one organization to another because what is being protected is exclusive to the company. No other company will have the same data, the same intellectual property, the same supply chain.

Looking at it from that perspective, risk assessment is about what digital asset could cause the most damage if it was compromised.

Assessing risk first involves identifying what assets make the company unique. Only then can the organization assess the cyber value, and from there, cybersecurity teams can build a framework to create a risk assessment protocol.

Different impacts of risk

There are some risk categories that will likely appear in every company and require assessment.

"For example, there is the typical risk you think of from threat actors, both internal and external. This risk largely drives proper access controls and security reviews," said Jon Gulley, senior application security penetration tester at nVisium.

Other risk categories to consider, according to Gulley:

Regulatory risk from governments can come in the form of new regulations that may increase the burden on the company.
Risk associated with technical debt accrues when sacrifices are made in the name of quick growth.
Reputational risk has grown with the rise of social media. The spread of bad publicity is faster than ever, which can lead to boycotts of a company's products.

"Each category requires its own specialists to fully assess and form risk mitigation plans. This comes by way of a security review in one form or another," said Gulley.

By gathering information about the situation and analyzing what is possible now while considering what could happen in the future, a risk assessment can provide an overview of vulnerabilities as well as insight on how to best mitigate them.

The role of zero trust

To address risk, many companies default to zero trust, but that isn't always the most effective way to approach risk.

"Zero trust works well for restricting access to high value segments of an organization's digital footprint," said Gupta.

Equally important, however, is to apply consistent security measures to the entire infrastructure, including techniques such as least privileged access, or access on a need-to-know basis.

Zero trust doesn't have to be an all-or-nothing effort, either. It can be implemented partially, to areas that would better benefit from that type of protection.

In risk assessment, it is important to remember two points: no system or software is unhackable and motivated attackers with the right resources will find a way to achieve their objective.

"Just because an exploit or vulnerability exists doesn't mean you need to panic about it," said Ragland.

Risk can be reduced by developing a mature security posture through code reviews, automated security testing before deployment and proper security evaluation of third-party tooling.

"A thorough evaluation of tooling, processes and procedures is needed to begin planning effective risk mitigation strategies," said Ragland. How you determine what to focus the risk assessment on will be up to you and your organization.