Skip to content

Risk Management: in good times and in bad times.

It is no secret that cybersecurity threats are ever increasing. It is sometimes said there are only two kinds of organizations: those who know they have been breached, and those who do not know it yet.

To mitigate the risk and damage associated with cybersecurity, it is important to:

  • know how to assess these risks
  • know how to improve your defenses via security-by-design.
  • plan for what to do if (and when) things do go sideways.

What we offer

Lesterius is a plutinum level FileMaker partner

Our approach

Our approach combines experienced professionals, modern technological solutions and proven strategies to provide the most comprehensive solutions to modern-day security, safety and risk management issues.

Lesterius’ European resources and cross-industry expertise allow us to offer real-time assistance, proven solutions and strategic planning to help organizations navigate the most unpredictable of times with confidence.

Co-creation

Every organisation and case is different. Every risk management plan is tailored and co-created by your team and our consultants. Together we establish where the priorities, (budget)limits and ambitions are and work from there.

Identify

Identify the risks that might compromise your cyber security. This usually involves identifying cyber security vulnerabilities in your system and the threats that might exploit them.

Analyse

Analyse the severity of each risk by assessing how likely it is to occur, and how significant the impact might be if it does.

Evaluate

Evaluate how each risk fits within your risk appetite (your predetermined level of acceptable risk).

Prioritise

Prioritise

Threat

Decide how to respond to each risk. There are generally four options:

    • Treat – modify the likelihood and/or impact of the risk, typically by implementing security controls.
    • Tolerate – make an active decision to retain the risk (e.g. because it falls within the established risk acceptance criteria).
    • Terminate – avoid the risk entirely by ending or completely changing the activity causing the risk.
    • Transfer – share the risk with another party, usually by outsourcing or taking out insurance.

Monitor

Since cyber risk management is a continual process, monitor your risks to make sure they are still acceptable, review your controls to make sure they are still fit for purpose, and make changes as required. Remember that your risks are continually changing as the cyber threat landscape evolves, and your systems and activities change.

The CIA model

The CIA triad is the respected model that forms the basis for the development of security systems and policies. The three letters in “CIA triad” stand for Confidentiality, Integrity, and Availability. It is widely used for the identification of vulnerabilities and methods for addressing problems and creating effective solutions.

The confidentiality, integrity, and availability of information is crucial to the operation of a business, and the CIA triad segments these three ideas into separate focal points. This differentiation is helpful because it helps guide security teams as they pinpoint the different ways in which they can address each concern.

When all three standards have been met, the security profile of the organization is stronger and better equipped to handle threat incidents.

Confidentiality:

Confidentiality involves the efforts of an organization to make sure data is kept secret or private. To accomplish this, access to information must be controlled to prevent the unauthorized sharing of data—whether intentional or accidental. A key component of maintaining confidentiality is making sure that people without proper authorization are prevented from accessing assets important to your business. Conversely, an effective system also ensures that those who need to have access have the necessary privileges.

For example, those who work with an organization’s finances should be able to access the spreadsheets, bank accounts, and other information related to the flow of money. However, the vast majority of other employees—and perhaps even certain executives—may not be granted access. To ensure these policies are followed, stringent restrictions have to be in place to limit who can see what.

Integrity:

Integrity involves making sure your data is trustworthy and free from tampering. The integrity of your data is maintained only if the data is authentic, accurate, and reliable.

For example, if your company provides information about senior managers on your website, this information needs to have integrity. If it is inaccurate, those visiting the website for information may feel your organization is not trustworthy. Someone with a vested interest in damaging the reputation of your organization may try to hack your website and alter the descriptions, photographs, or titles of the executives to hurt their reputation or that of the company as a whole.

Compromising integrity is often done intentionally. An attacker may bypass an intrusion detection system (IDS), change file configurations to allow unauthorized access, or alter the logs kept by the system to hide the attack. Integrity may also be violated by accident. Someone may accidentally enter the wrong code or make another kind of careless mistake. Also, if the company’s security policies, protections, and procedures are inadequate, integrity can be violated without any one person in the organization accountable for the blame.

To protect the integrity of your data, you can use hashing, encryption, digital certificates, or digital signatures. For websites, you can employ trustworthy certificate authorities (CAs) that verify the authenticity of your website so visitors know they are getting the site they intended to visit.

Availability:

Even if data is kept confidential and its integrity maintained, it is often useless unless it is available to those in the organization and the customers they serve. This means that systems, networks, and applications must be functioning as they should and when they should. Also, individuals with access to specific information must be able to consume it when they need to, and getting to the data should not take an inordinate amount of time.

If, for example, there is a power outage and there is no disaster recovery system in place to help users regain access to critical systems, availability will be compromised. Also, a natural disaster like a flood or even a severe snowstorm may prevent users from getting to the office, which can interrupt the availability of their workstations and other devices that provide business-critical information or applications. Availability can also be compromised through deliberate acts of sabotage, such as the use of denial-of-service (DoS) attacks or ransomware.

To ensure availability, organizations can use redundant networks, servers, and applications. These can be programmed to become available when the primary system has been disrupted or broken. You can also enhance availability by staying on top of upgrades to software packages and security systems. In this way, you make it less likely for an application to malfunction or for a relatively new threat to infiltrate your system. Backups and full disaster recovery plans also help a company regain availability soon after a negative event.

Case Studies

European Bank, Industry: Finance,

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum

French Government institute, Industry: Government,

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.

Swiss Consultancy Agency, Industry: HR & Recruiting,

Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur.

Let’s get the conversation started