Asking the right questions within your organization is key to effectively managing cyber risk. Here are 10 questions that you should ask your team:
1. What information and systems do we care about and why?
- What information do we have that we care about? (personal information of employees or customers; proprietary information (trade secrets); third-party confidential information)
- What systems are critical for our continued operation?
2. What are the risk scenarios that create exposure for us based on answers to #1?
- Internal risk (e.g. malicious or error)
- External attack (e.g. phishing; brute force)
- Supplier/third party issue (e.g. victim of attack or error)
3. What measures do we have in place to manage third party risk?
- Contractual provisions? (e.g. restrictions on use/retention of information; obligation to safeguard and implement specific security measures on issues such as backup storage; notification in event of suspected/confirmed incident; obligations in event of incident (investigate/share information); right to audit; optional provisions: third party security certification; obligation to have insurance)
4. What regulatory obligations do we have in relation to cyber?
- Do we have defensible documentation to establish compliance with our obligations?
5. What is the estimated financial exposure from the risk scenarios materializing?
- Do we have exposure from: unauthorized access, lack of integrity, inability to access?
- What is the dollar value for every day of business interruption, loss of goodwill?
- What are the potential claims by data subjects (how many data subjects; categories of information/sensitivity; should we even have this information)?
- What are the breach of contract consequences?
6. What technical tools do we have in place and how do they protect against risk scenarios?
- What are we using as our benchmark and why is that relevant baseline?
- Are we up to date with newest threat actor tactics?
- How will we know if there is unauthorized access to our network? Does someone get an alert if there is unusual activity?
- How do we define scope of what is ‘unusual’? (e.g., connection from unusual location; connection from two different locations)
- If intruder gains access, how easily can they move around without being detected? How have we protected most sensitive information?
- Have we configured all tools to maximize security and create exceptions where necessary for business objectives (e.g., firewall only permits certain inbound/outbound connections)?
- Can we impose restrictions to limit risk? (e.g., multi-factor authentication always required; password restrictions; restrict ability of users to install software; encryption; limit ability to download)?
7. How could a risk scenario materialize notwithstanding all technical tools in place?
- Have we considered the role of the following in giving rise to risk scenarios: human error; third party/supplier issue?
8. What policies and protocols do we need in place to manage risk scenarios?
- Do we have appropriate governance in place to manage these risks? (e.g. applicant vetting; employee training; outsourcing; rules around use of personal devices; patching; data retention; review and updating of security strategy; escalation of security observations/concerns)?
9. In what ways are we prepared for an attack?
- Do we have reliable and tested backups? How current?
- Are we collecting and preserving logs?
- Is our defensible documentation in place?
- Have we tested our preparedness through tabletop exercises and incorporate learnings into strategy
- Do we have the right experts on speed dial?
10. Are we accessing all available external resources?
- Have we looked at available resources such as the Canadian Centre for Cyber Security or industry groups for information sharing and coordination?
- Have we consulted experts about our preparedness strategy?
If you have questions about cybersecurity risk management, reach out to Bennett Jones' Data Governance Protection and Cybersecurity team.
Bennett Jones