Guidance

Get the basics right: risk management principles for cyber security

Created:  13 Dec 2017
Updated:  13 Dec 2017
Risk management
Risk management principles that can be applied to all organisations, regardless of size.

The NCSC's risk management guidance is aimed at a broad range of organisations, from sole traders to large government departments.

  • This section describes some basic risk management principles that will suffice for most small and medium sized enterprises (SMEs) or sole traders.

  • Techniques better suited to large organisations, with complex interconnected risks and infrastructures are described in other parts of this guidance

 

Start with a cyber security baseline

If you can afford to do nothing else, SMEs should adopt a recognised baseline of security controls, such as those defined in Cyber Essentials. This approach doesn't require any risk analysis at all; it's just about applying some basic security controls and demonstrating that your organisation takes cyber security seriously. Make sure the security baseline you chose takes into account any laws and regulations your organisations must comply with.

 

All organisations face risks, no matter the size

Many cyber attacks use indiscriminate scatter-gun approaches to targeting victims. If you're an SME or sole trader, you're just as likely to be a victim of these scatter-gun attacks as a large organisation. Attackers may not know (or care) who you are until they get a foothold in your organisation.

 

Understand what you care about, and why

Cyber security is as much about knowing how your organisation functions as it is about technology. Think about what people, information, technologies and business processes are critical to your organisation. What would happen if you no longer had access to them (or if you no longer had control over them)? For example, your organisation might be able to function reasonably well for a few days without email, but loss of a Customer Relationship Management service might prevent essential day-to-day tasks being completed. Equally, some information (such as personal data) must remain private, but other types of information could be released without any disruption. This basic understanding of what you care about, and why it's important, should help you to prioritise where to protect your organisation most. 

 

Think about situations in which you could be compromised

The ability to visualise the future consequences of your decisions - some of which cannot be easily predicted -  is essential to risk management. You can't explore every scenario in which you could be compromised, but you shouldn't let that put you off. It might seem natural to start with a decision you've taken, such as adopting a particular password policy in your organisation, and to work forwards from there to explore the consequences. However, it can be more useful to start with an outcome that you want to avoid, and then work backwards.

For example, you could imagine the following outcome:

Our customers' personal data has been leaked

 - and work backwards from there. So in this case you might ask yourself:

  • What decisions did we take immediately before the leak, which might have exacerbated the situation?
  • Why did we make these decisions?

As you work backwards, it should become clear that there are many ways in which any negative outcome can occur. All this can give you valuable insights about how best to deploy your limited cyber security resources. This is not the only way to think about situations in which you could be compromise; it's just one example of how these kinds of technique could be used.

 

Accept some risk

When you've made a business decision (such as deploying some new technology in your organisation) you will have to accept some possibility that it could be attacked, subverted, destroyed or otherwise messed with. We all experience risk because the future is uncertain, and cyber risk is no different.

We're not saying that you should just shrug your shoulders and ignore cyber risks, rather you need to focus on those risks which you can practically do something about. Getting this right depends on:

  • understanding what you expect to gain by taking a given risk
  • how much it would hurt you if that risk was realised
  • how much you can afford to spend on protecting yourself

This all comes down to judgement. So if anyone tells you that a particular framework or piece of security technology can manage 'all of your cyber risks', take everything they say with a pinch of salt. You'd be amazed how often the NCSC hear this claim.

 

Balance cyber risks against other types of risk

Some security measures can reduce one type of risk, whilst increasing risk somewhere else.

For example, let's imagine you want your customers' online accounts to be secure, so you introduce strong password requirements on your website. This might (or might not) reduce some risks, but it is likely to introduce the new risk of customers leaving your website and going to a competitor's (where the overall user experience is better).

Whilst this isn't really a cyber security risk, it still affects your organisation, and treating both risks as being separate and unconnected is unrealistic. So, when you decide to adopt a security measure, try to imagine any unintended consequences.

 

Learn from security solutions used by other organisations

It's rarely worth re-inventing the wheel. We don't advocate you blindly copying security solutions without any reflecting on how they fit your own context, but you can learn a lot from studying how other organisations have solved similar cyber security problems to yours. For example, the description of the NCSC's own IT architecture might be a useful starting point for some organisations. Keep an eye out for how other organisations have solved security problems.

 

Keep an eye out for cyber security myths

Cyber security, like most professions, has a lot of myths to bust. For example, there is a myth that cloud-based infrastructures are more risky than using your own equipment. This is rarely true - large and reputable cloud service providers generally have far more robust security arrangements than most organisations would be able to afford themselves. At the same time, the cloud isn't a silver bullet; you still need to ensure that your organisation's devices that you use to access cloud services are properly protected. Our point is that cyber security is constantly changing, so beware of lazy assumptions and uncritical thinking.

 

Be aware of the strengths and weaknesses of risk management techniques

Risk management standards and frameworks often present themselves as if they exist in isolation. This can lead to an impression that you only ever need to understand and use one type of approach. There are fundamentally different ways of approaching risk. Of course, many organisations might adopt a single technique to risk management for practical reasons, such as resource constraints, or to ensure compliance with a piece legislation. In such situations, make sure you are aware of the strengths and weaknesses of the technique being applied. 

Was this guidance helpful?

We need your feedback to improve this content.

Yes No