Work from Home (WFH) has not only become the new normal for many now, but it’s increasingly clear that, at companies where remote work is possible, it’s likely to go on to a great degree even after the COVID19 crisis passes. The line between home and office has probably been blurred permanently.
That means CISOs need to look beyond the short-term challenges of recent weeks and start thinking about the ongoing risks from a distributed workforce and how they would affect the bottom line.
Erin Macuga is a Risk Consultant with RiskLens
By utilizing the RiskLens SaaS platform, running on the FAIR standard for cyber risk quantification, analysts can quantify probable risks in dollars and cents for WFH loss events such as:
Quantitative Risk Analysis for Unpatched Endpoint Vulnerabilities
One specific example from above would be looking into the potential ramifications of an unpatched vulnerability. Some companies are putting patches and updates on hold as their resources are strained with the new work from home culture. They may be looking to install features that would provide stability from the increased external traffic of the remote workforce. However, this interruption in patching will leave vulnerabilities on enterprise endpoints open to be exploited by malicious actors.
In order to define what specific risk scenarios are related to this vulnerability, the analyst would start by determining what item of value is of the most concern. This could range from a specific workstation with access to high value information, such as your head of sales, a particular database, or even a specific process that would be impacted from an unpatched endpoint vulnerability. In this instance let’s say the most probable and biggest concern is a particular database accessed by all employees.
Asset: Key database containing sensitive information
Threat: External Actor (Cyber Criminal)
Method: Exploiting an unpatched endpoint vulnerability & targeting the database
Since we’ve defined the scenario, the analysts would then talk to SMEs within the organization or use the knowledge they already have to determine the magnitude (associated cost) by looking at the six forms of loss (from the FAIR model) that directly affect the organization or indirectly affect customers or other stakeholders, if this incident were to occur.
Top Risks Reporting and Risk Assessment for Work from Home Cybersecurity
This same approach can be taken to clearly define each of the concerns facing the organization. Then, using the Rapid Risk Assessment capability of the RiskLens platform, in minutes per scenario, the company can determine what the costs would be if each event were to occur. By doing so, they can quickly determine what the top risks are to the organization as employees work from home and begin to address accordingly.
The results of each individual risk scenario will include the most likely cost if this event occurred in the next year, including the 10th and 90th percentiles, to give a range of values. This annualized loss exposure can then be used to show decision makers what the loss exposure would be and how best to prioritize security investments.
Additionally, these scenarios can be aggregated to calculate a total loss exposure. The chart below is a loss exceedance curve showing the aggregate annualized loss exposure (ALE) of all the WFH risks from the list above. The values on the curve show the range of exposure the organization is exposed to in a given year from WFH-related scenarios.
Get Started with RiskLens Cyber Risk Solutions for Remote Work Security Challenges
RiskLens offers a Rapid Risk Assessment solution using the RiskLens platform, the SaaS solution built on the FAIR model, the international standard for cyber and technology risk quantification. With a Rapid Risk Assessment, organizations are able to identify, prioritize and communicate their top risks in financial terms, with the speed and clarity that the business demands.
Contact us to learn more about Rapid Risk Assessment and cyber risk quantification.
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.We help organizations translate cyber risk from the technical into the economic language of business.Schedule a Demo