Person 1
Mitigating Risk
Many small businesses have taken a hit as a result of the outbreak. It can even lead to the closure of a small company. In this case study, the company suffers tremendous losses due tothe pandemic’s irresponsibility. The three to five potential risk response options to consider for handling a crisis situation.
Risk Response Options
The first option is to avoid the risk. As the name implies, ending a particular action or opting not to begin is a risk response option. When a company/business decides to avoid a risk, it reduces the likelihood of the risk causing harm to the business. A recent change to working from home to protect workers from contracting COVID-19 is one instance. Most firms avoid the risk of their employees falling ill (Bhoola et al., 2014).
The second option is to reduce. In ERM terms, it includes taking steps to reduce the probability or effect of a loss. Lowering is a workable option for bringing the hazard within reasonable limits if the danger is somewhat more than the desire and acceptance level. Transfer is the third option. Regarding choices 1 and 2, this option exported or shifted responsibility for the risk to a third party instead of removing or reducing its chance. Purchasing home insurance doesn’t decrease or prevent power outages, but it can provide a financial cushion if damage occurs (Williams, 2019). The fourth option is Accept. There would be other dangers beyond the threshold for which one of the other response options will be unsuccessful because the likelihood and impact are so low that devoting resources to avoid, transfer, or reduce the risk does not make sense.
Evaluating the Risk Response Options
When evaluating risk response options, the first factor is senior management engagement and support. The influence of risk factors including such leadership support, company vision, and external expertise. The results suggest that support from top management affects the organizational system’s overall success.
The second factor is Communication. Communication is essential in risk management. It allows for an explanation, making sense of the organization’s success, and members to examine how to enhance the organization and the effects of various risk mitigation techniques.
The third factor is Organizational Structure. The advisory board conducts the organizational structure, which gives the personnel the concept, guidelines, direction, and assistance. They create and teach staff how to share and employ a common language. Individuals collaborate as a team to avoid divisions and to include resistant employees in the process.
Bad Actors
Potential opportunities for criminal actors to harm enterprises, such as the exploitation of modern teleworking technology. Many businesses have quickly implemented networks involving VPNs and associated IT infrastructure with transitioning their whole workforce to telecommuting.Cybercriminal actors exploit various publicly known flaws in VPNs and other remote working technologies and software to take advantage of this widespread shift to telework.
A group of actors has stolen user credentials using COVID-19-related phishing. These emails use the previously mentionedCOVID-19 methods of social engineering, which are occasionally supplemented with urgent language to increase attraction (Sailio et al., 2020). When the user clicks on the hyperlink, a faked log-in page with a credential entry form displays. Previously, monetary benefits such as government payments and rebates such as tax rebates) have been utilized as a part of the bait in SMS phishing. This economic theme is continued by coronavirus-related phishing, especially due to the economic effect of the outbreak and governments’ job and financial assistance packages.
Technical Controls
The technical measures that “Hintel” could put in place to limit cybersecurity risks posed by these malicious actors by using firewalls, encryption, intrusion detection systems (IDS), and procedures for identity and verification. Technical controls manage several key functions, including detecting unwanted users from accessing the system and identifying security problems (Harford, 2022). Since technical controls are so important, some people assume them to be the totality of cybersecurity, disregarding other key factors.
References
Bhoola, V., Hiremath, S. B., & Mallik, D. (2014). An Assessment of risk response strategies practiced in software projects. Australasian Journal of Information Systems, 18(3). https://doi.org/10.3127/ajis.v18i3.923
Harford, I. (2022). Types of cybersecurity controls and how to place them. SearchSecurity. https://www.techtarget.com/searchsecurity/feature/Types-of-cybersecurity-controls-and-how-to-place-them
Sailio, M., Latvala, O.-M., & Szanto, A. (2020). Cyber Threat Actors for the Factory of the Future. Applied Sciences, 10(12), 4334. https://doi.org/10.3390/app10124334
Williams, C. (2019, February 12). 4 risk response strategies you will have to consider after assessing risks – Carol williams. Erminsightsbycarol. https://www.erminsightsbycarol.com/risk-response-strategies/
Person 2
As the CIO of Hintel, I would use the NIST RMF to identify and address the risk response options. The organizations have already been using the NIST frameworks for a while, and using NIST RMF will be the best option to approach risk management in the new situation.
I will consider NIST Special Publication 800-39, “Managing Information Security Risk,” when crafting the response options.
Given that “Hintel” is a vast organization with an international presence implementing the risk response measures will be challenging. To prioritize the risk response options, I will start by separating them based on the time it will take to be implemented.
The tactical risk response measures that can be applied quickly will be the first ones to work on, while the strategic risk response measures will take longer.
As the CIO of the “Hintel” organization, my plan to risk response will identify these risk response options.
A policy change will allow employees to work remotely, flexible shifts and enable the organization to be more prepared for absence. The new policy will also focus on assuring the environment’s safety for those who come to work in person.
More focus on communication. With so many changes daily, my plan will focus on increasing communication so the uncertainty will be avoided.
Focus on the necessary technology to enable remote work. With the sharp increase in remote working, the existing technology will be under great stress, and work can be affected. We need to upgrade or replace that current technology.
My plan will also focus on the training related to the new tools the organization users will be forced to use for enabling remote work.
An essential part of my response plan will be to focus on the security of the new way of working. Remote work will open access to the organization’s sensitive data. To protect that, my plan will include close work with the CSO to secure the new way of working. MFA implementation, disaster recovery plan, and backup operations will all be revised, updated, and tested. A particular accent will be put on the monitoring network access to shorten the response time in case of a breach.
Factors to consider when evaluating the risk response above should be:
Personnel availability: COVID-19 produced a significant workforce shift that resulted in personnel shortages for many companies. As the CIO of “Hintel,” I need to consider that as a factor when evaluating the risk response.
The financial situation: With $75 mil losses daily, as the CIO of “Hintel,” I should consider the best and most financially effective solutions. The financial situation needs to be considered as a factor when evaluating the risk options.
Supply chain issues: During COVID19, supply chain shortages became a worldwide issue, and as “Hintel” ‘s CIO, I need to consider that as a factor when evaluating the risk options.
This new situation enables the bad actors. The potential opportunities that could be exploited are:
With the changes triggered by the COVID-19 situation, attack on remote devices is a significant risk we need to consider
The network connection for the remote devices is also a significant risk we need to consider as the attack surface increased significantly with many employees working from home.
Phishing attacks are now another opportunity for the bad actors that the “Hintel” organization needs to consider
The technical controls that “Hintel” could implement to reduce cybersecurity-related risks from the bad actors mentioned above are:
A patching management software like Tanium needs to be considered, which will address the patching for all the devices in the organization.
VPN and MFA will be installed on all the remote devices to allow remote work. AnyConnect for the VPN and Symantec VIP are options recommended for Hintel.
Suitable software for phishing training and simulating like ESET or Phished are recommended for “Hintel.”