Written by Michael Feder
Reviewed by Kathryn Uhles, MIS, MSP, Dean, College of Business and IT
Cybercrime continues to be a growing concern for businesses and individuals. Worldwide, the cost of hacks, data breaches and ransomware is currently estimated to cost $6 trillion per year — a figure expected to rise to $10.5 trillion by 2025. The numbers alone show that the problem isn’t going away. Rather, the question is one of risk level. How vulnerable is each company’s infrastructure to a cyberattack?
While hackers have begun employing newer strategies, such as encrypting data and asking for payment before decrypting it (ransomware attacks), instances of long-standing problems like phishing, extortion and identity theft have doubled in the past few years.
As a result, companies and individuals must protect themselves from an ever-growing list of cyber-related concerns and cybercriminals. Many of them are preventable. Running a cybersecurity risk assessment to seek out potential threats can be a start. A majority of hackers rely on stolen login credentials, malware, social engineering or other methods that companies can counteract by deploying security controls and cybersecurity practices, such as risk assessment and risk management frameworks.
Here’s a closer look at how companies can use cybersecurity frameworks to manage security risk and combat hackers.
According to the National Institute of Standards and Technology, a “risk management framework (RMF) provides a process that integrates security, privacy and cyber supply-chain risk management activities into the system development life cycle.”
A framework covers all aspects of cybersecurity and works to eliminate risks. It can be designed to identify, monitor, reduce and respond to risks. It is a comprehensive approach that integrates the framework into the design of a network. This makes identifying, assessing and remediating cyber risks more effective.
In addition to protection and prevention, the framework should include traffic monitoring and other tools that detect suspicious activity. The framework then assesses the activity and decides whether it poses a risk. If it does, operators can categorize the danger and decide on the best response.
Because it lays out each step in the process and accounts for all possibilities, a cybersecurity framework provides a more holistic approach than other types of measures.
Risk management frameworks are typically for mid-size and large companies or organizations. Individuals and small companies can use some of the risk management strategies that larger firms rely on, but an overall framework isn’t necessary unless the company is involved in handling sensitive data or has some other heightened risk factor.
The number of digital systems continues to grow, and the list of possible threats is growing with it. For large organizations and companies, a risk management framework is becoming ever more important.
The goal of a risk management framework is to protect against as many types of threats as possible. In today’s cybersecurity climate, such systems pay special attention to three types of dangers.
In 2018, there were more than 812 million malware infections. Malware refers to malicious software that is downloaded by unwitting users and remains on the system.
Malware can do a lot of damage, including:
There are different types of malware, but a vast majority of these unwanted programs come from email downloads, downloads via app stores or malicious sites masquerading as legitimate ones.
In addition to teaching users and employees to avoid such downloads, a company can improve its email filters and handle downloads via non-administrator accounts, which limit access to sensitive areas of the network. Network monitoring can also help locate unusual activity.
Ransomware is a kind of malware that encrypts files on a system or device, making it unusable. Hackers have a method for encrypting the data, but before they give it to the company that owns the system, they demand payment.
The potential profits have made these attacks more prevalent. However, companies can fight back. The most effective way, aside from standard anti-antimalware measures, is to fully back up the system data. Then, if a hacker breaks into the system and encrypts the data, you can immediately switch to the backup and continue operations.
In a data breach, hackers steal personal data, financial information or trade secrets, which they can sell to third parties.
Recent targets have included healthcare service providers. While healthcare organizations have been targets of ransomware (the urgency of healthcare services make them more prone to paying hackers), breaches can be just as destructive. Hackers have stolen medical records, Social Security numbers and other patient data. One of the most well-known hacks of all time involved a data breach of a credit reporting bureau, which compromised financial information of millions of people.
These breaches typically involve unusual traffic patterns because the data is sent out of the network. Encryption, anti-malware software, multifactor authentication, and partitioned networks requiring special credentials for entering an area with sensitive data can help mitigate the risk of a data breach.
There are several types of frameworks. Each relies on slightly different steps and strategies to mitigate risk. Here is a look at four of the most common options for companies and organizations.
The NIST Cybersecurity Framework favors proactivity. Cybersecurity team members assess more than 100 components of the NIST system, looking for vulnerabilities. They also pay attention to the latest cybersecurity intelligence and add protections that account for new threats.
With this information, the team assesses the risk level of each threat, weighing both its likelihood of occurrence and the potential damage it could cause. They can then prioritize protection and mitigation for the most serious threats.
The International Organization for Standardization (ISO) provides guidelines for risk management. This framework focuses on researching and identifying risks. It requires creating and constantly updating risk criteria and then repeatedly assessing threats based on the latest criteria.
In addition to auditing the risk assessment process to ensure it produces accurate results, the framework is meant to identify risks for breaches and other types of cybersecurity threats. Team members can then respond based on the level of risk.
The FAIR Institute uses a risk management framework that has very specific steps. It favors a proactive strategy that involves creating and perfecting risk models and assessing risks in a way that produces enough data to make informed management decisions.
There is also a holistic element to the FAIR framework because it assesses cybersecurity risk as a whole, including people, processes and policies. It is described as a cost-effective option because it does not simply focus on adding new technology or investing in new systems.
As you can see, there are various risk management frameworks. Which one a company may use depends on factors such as company size, level of security risk and other specific needs. Those who work with these frameworks directly contribute to the mission-critical processes that keep a company safe.
Finding the right cybersecurity risk management program after a thorough assessment can help curb security issues long term, so it’s important to find the right one for your organization or business.
Does cybersecurity risk management interest you? Consultants and IT employees who deal with risk management frameworks typically have a technology degree. While a bachelor’s in information technology will typically give you the background necessary for a job in the cybersecurity field, you can also pursue a more specialized education with a degree like a bachelor’s in cybersecurity.
If you work for a large corporation or government agency, you may choose to pursue a master’s degree in cybersecurity.
University of Phoenix offers online course collections, certificates, bachelor’s degrees and master’s degrees to accommodate established and aspiring IT professionals looking to enhance their knowledge in this field. Learn more about undergraduate and graduate online technology degrees from UOPX and start your IT journey today!
A graduate of Johns Hopkins University and its Writing Seminars program and winner of the Stephen A. Dixon Literary Prize, Michael Feder brings an eye for detail and a passion for research to every article he writes. His academic and professional background includes experience in marketing, content development, script writing and SEO. Today, he works as a multimedia specialist at University of Phoenix where he covers a variety of topics ranging from healthcare to IT.
Currently Dean of the College of Business and Information Technology, Kathryn Uhles has served University of Phoenix in a variety of roles since 2006. Prior to joining University of Phoenix, Kathryn taught fifth grade to underprivileged youth in Phoenix.
This article has been vetted by University of Phoenix's editorial advisory committee.
Read more about our editorial process.
Read more articles like this: