2023 resolutions may have already fallen out of style, but cybersecurity teams are always on the hunt for emerging threats in the new year. Each year cybersecurity professionals forecast what they expect to happen as the year progresses.

At ISN, we anticipated the following in December 2022:

“2022 shows us that 62% of system intrusion incidents stem from an organization’s supply chain. The rise of phishing resistant authentication technologies in 2023 should lead to a higher percentage of system intrusions due to threat vectors like malware. Since external supplier reliance is increasing, they may see heightened cybersecurity due diligence placed on vendor assessments before and after procurement.”

But what do we do with the risks that actually occur as the year progresses? How do we prioritize these risks and how do we develop a response to the threat? Best practice from NISTIR 8170 tells us to create a central repository of these risks known as a risk register. These documents aggregate current risks and related information and establish a framework for how to deal with those risks. This is not a one and done register, but more of a continuous and ever evolving document that some organizations may choose to update as frequently as daily.

At its core, a risk register is comprised of the identified risk, the description, the impact, the probability of occurrence, mitigation strategies, the risk owner and ranking to determine priority. Below, we will walk through the best practices for building your own risk register and discuss how these documents can reduce cybersecurity risk in your supply chain.

1. Risk Identification:

• Brainstorm as a team all the potential risks that your organization faces. This should be done by identifying all relevant stakeholders from across different areas of the organization and asking them to share their ideas. When brainstorming, it is important to be as comprehensive as possible and to consider all potential risks, both internal and external. Then, prioritize risks lower that are less likely to occur.
• Reviewing historical data as well as current reports from industry leaders can help teams identify risks. This could include data on past cyberattacks, data breaches, and other incidents. When reviewing historical data, it is important to look for patterns and trends that can help your company identify potential risks.

2. Risk Likelihood & Impact:

• The likelihood of a risk occurring can be assessed using a variety of factors, such as the frequency of similar incidents, the sophistication of the threat actor and the availability of resources. When assessing likelihood, it is important to be as objective as possible and to avoid making assumptions. This will help your company prioritize the risk and focus any mitigation efforts on the most critical risks.
• Risk occurrence is assessed using factors such as the cost of the incident, damage to a company’s reputation, and the loss of business. When assessing impact, it is necessary to determine the long-term effects of the risk.

3. Risk Mitigation:

• The risk mitigation section of your risk register should be specific, measurable, achievable, relevant, and time-bound (SMART). This means that the plans should be clear, have a specific goal, be possible to achieve, be relevant to the risk and have a deadline. They also need to be developed in consultation with stakeholders from across the organization. This will help ensure that your efforts are comprehensive and effective.
• Effective risk mitigation plans are reviewed and updated regularly. Doing this ensures plan effectiveness and addresses new risks as they emerge.

4. Risk Register Implementation, Monitoring & Review:

• Once you have completed the risk mitigation section, it is necessary to get buy-in from stakeholders. This helps ensure that the risk register is implemented effectively. Also, this enables teams to identify the risk owner, who is/are the personnel directly responsible for follow-up activities that manage identified risks.
• Part of the risk owner’s responsibility is tracking the progress of risk mitigation activities and making adjustments over time as required. This requires regular monitoring and review to ensure the register is up-to-date and still currently relevant to the company.

According to IBM’s 2022 Cost of a Data Breach Report, “19% of breaches occurred because of a compromise at a business partner.” This is known as a supply chain attack, which is where an attacker intentionally targets a third-party vendor that is trusted by the victim company to gain access to the victim’s systems or data.

ISN helps organizations defend against supply chain attacks by standardizing a tiered, third-party risk management program across all supply chain participants that pose a cybersecurity risk to the organization. We accomplish this by establishing a baseline of cybersecurity due diligence, then increasing that level of review as suppliers become higher risk. Common first steps in this process are collecting Cyber Questionnaire responses, requiring Cyber Liability Insurance and reviewing a supplier’s Cyber Risk Rating. As a supplier’s risk level increases, we can verify internal cybersecurity policies through Document Collection and even assess a supplier’s internal security posture with a Cyber Plus Assessment.

If you are a current ISN Hiring Client subscriber, contact your account representative about incorporating cybersecurity tools into your supplier information management program.

If you are interested in learning more about ISN’s supplier management system to help you reach your cybersecurity goals, contact ISN.