All organizations - public and private - deal with cybersecurity on a daily basis, so much so that cybersecurity experts know that the problem is no longer 'if' one will suffer an attack, but 'when'. The health emergency caused by COVID19, the development of technologies and digital transformation have all contributed to a strong shift of business towards the online mode, thus also facilitating the work of cybercriminals.
The below image represents the next years' scenario regarding the most likely cyber threats, according to ENISA (the European Union Cybersecurity Agency).
Obviously, the landscape is various and wide-ranging. Besides many strategic areas, as the supply chain a the AI, the following critical situations emerge:
- increased disinformation, digital surveillance and privacy threats;
- more effective targeted attacks thanks to data collected by smart devices;
- occurrence of human errors and exploits in legacy systems;
- shortage of specialized security professionals;
- misuse of Artificial Intelligence.
Among this volatile landscape, organizations are also required to deal with regulatory changes in Information Technology security management: just think of the definition of the 'national cyber security perimeter' or the transposition of the NIS directive. For this reason, it is crucial for organizations to define a ultimate security objective that satisfies all protection requirements: to be compliant with the regulatory framework of reference and not jeopardize business growth.
This process itself implies the need to define a prompt and precise cyber risk assessment.
Areas to work on
The development path of the cyber risk assessment starts with a daily analysis of the context the organization operates in, to define a framework of actions to be put in place. In this first period of observation and analysis all the priorities are defined now the priorities are defined, in order to improve the current company's cyber security and make the system more efficient with upgrades and new actions.
Once the target has been clarified, we proceed to concrete action: measuring and understanding the distance between the current situation, in which the organization operates, and the condition indicated by the target. The outcome of this phase - which can be conducted with various tools, e.g. surveys about how employees, collaborators or external suppliers behave in certain risky situations - is the creation of the organization’s current security profile.
The cyber risk assessment approach
Generally speaking, an organization can choose whether to adopt a quantitative or qualitative approach in defining its risk assessment. The latter, as is intuitive, emphasizes subjective elements that are difficult to measure, as compared to the former, which instead adopts previously established metrics, aiming for the greatest possible objectivity. The qualitative approach is usually adopted when time and budget are limited, preferring a streamlined process as the primary requirement. The second is instead more analytical and suitable for periodic monitoring of cyber security activities, leading to more detailed and useful results (also to measure security ROI).
In the definition of risk assessment, the first approach does not contradict the second one; on the contrary, they can be integrated.