Gilchrist Mushwana
BDO can assist with cyber risk assessments by using multiple security and cybersecurity frameworks. A risk assessment forms part of the bigger cybersecurity governance picture. Cybersecurity governance, amongst other things, deals with the management of risks. A risk assessment is therefore the foundation for the remediation of identified cyber risks and the enforcement of cyber controls. A cyber risk is composed of two elements:
- Cyber threat. A threat is a malicious action taken by an attacker that exploits a vulnerability in a manual or automated system.
- Cyber vulnerability. A vulnerability is a weak point in a manual or automated system which can be exploited by an attacker to achieve nefarious goals – e.g. theft of data, alteration of data, unauthorised transactions or the destruction of data and systems.
BDO can assist with the implementation of appropriate risk responses to cyber threats, ranging from risk mitigation (by means of directive, preventive, detective and/or corrective cyber controls), to sharing of risks with another party (e.g. with an insurance firm by taking out cyber insurance), to transferring cyber risks to another party (e.g. a third party providing Security Operations Center (SOC) monitoring), to avoidance of certain cyber threats (e.g. by not linking certain elements of an internal network to the Internet).
BDO can also assist with the implementation of cyber controls – focusing on four types of controls:
- Directive cyber controls: These kind of controls direct actions and behaviour in an organisation. They normally include the implementation of a cyber-framework whilst cyber policies, procedures, and standards are derived from the chosen cyber-framework.
- Preventive cyber controls: These kind of controls are designed to prevent cyber threats from happening in the first instance. Although a preventive control is an organisation’s first line of defence, they can and will fail from time to time. Preventive controls are not enough and must be complemented by detective and corrective controls.
- Detective cyber controls: In the future organisations will have to rely more and more on detective controls to identify attacks in real-time – as preventive controls will fail.
- Corrective cyber controls: Detected attacks will have to be corrected in the shortest timeframe possible.