According to the latest Allianz Risk Barometer, cyber incidents are currently the biggest business risk worldwide. As IT forms the basis for almost all business processes these days, its failure affects all areas of a company. This puts some Chief Information Security Officers (CISOs) in a complicated situation: they are required not only to be aware of cyber risks, but also to be able to assess the risk they pose. They should ask themselves the following five questions when assessing risks in order to achieve their goal of secure cybersecurity:

1. where are our weak points?

There are three types of vulnerability: procedural, technical and human. The first category includes emergency plans that have never been tested and do not work in an emergency. Technical vulnerabilities can be classified according to their severity using the CVSS (Common Vulnerability Scoring System). Human errors are just as normal as technical gaps in cybersecurity. For example, forgetting to set a password for a new cloud instance in a stressful moment or falling for phishing emails. Identifying these vulnerabilities requires an exchange of information between the various specialist departments and an overview of processes in the IT environment, all cloud services and all systems.

2 How do attackers proceed?

Despite a potentially lower CVSS score, CISOs should not neglect older, less highly prioritized vulnerabilities. These can be highly attractive to cyber criminals as they are often much easier to access, as they are often overlooked or not prioritized in analyses. It is therefore important for the risk assessment that, in addition to the industry and company size - such as a large public authority or medium-sized craft business - information about current attacker groups and their approach is also taken into account, including which vulnerabilities they use.

3. what is my probability of attack?

The probability of attack is determined from the factors "current cybercriminal activity" and "discovered vulnerabilities" by asking two questions: "Does the size of my company fall within the scope of current hacker activity?" And: "Is there a vulnerability in the company that is currently being targeted frequently?" If the answer to these two questions is "yes", the risk of an incident is high. It should also be noted that around 90% of all cyber attacks are financially motivated and are intended to be carried out with as little effort as possible. In short: companies that offer little resistance are more attractive to cyber criminals.

4 What would be the consequences of a cyberattack?

The risk assessment and the need for action result from the probability of occurrence and the amount of potential damage. To calculate both, CISOs should ask themselves the following W questions about dependencies, security setup and the company's IT infrastructure: What options does a hacker have once they are inside the network? How can they move around without being detected by internal controls? What controls are in place? What opportunities does the intruder have to access valuable data? What impact would a production stoppage triggered by an attack have on customers and suppliers?

5 What does it take to minimize the risk?

In order to achieve the desired risk minimization with regard to the probability of occurrence and impact of an attack, targeted measures must be taken. For example, a patch to close a technical vulnerability or the setting or changing of passwords. Larger security measures such as network segmentation become necessary when particularly vulnerable data and assets require protection. CISOs should then regularly review the effectiveness of the measures taken to minimize risk. If you want to save yourself the cost-benefit calculation, you can turn to security manufacturers with comprehensive platforms.

The goal of CISOs: to minimize damage

As security experts, CISOs play a key role in the company. They must identify the greatest risks and take targeted countermeasures. However, maintaining an overview of the highly dynamic IT landscape is no easy task in today's world. The issues addressed help to create a continuous risk assessment, which subsequently results in a proactive security strategy. This is all the more important as cyber incidents are now considered the biggest business risk worldwide.

Richard Werner, Business Consultant at Trend Micro