In its most general form, cyber risks are understood as the possibility of incurring losses in the process of using information technologies. The term "information technology risks" or "IT risks" is often used as synonyms for cyber risks. In some cases, cyber risks are understood more narrowly as the occurrence of losses associated with malicious actions in relation to the data and functioning of the company's IT infrastructure. In our opinion, it seems appropriate to consider cyber risks in a broad sense, as a synonym for IT risks, since cyber risk management for non-IT companies is inseparable from the overall information security management strategy. Consider some international definitions. The Committee on National Security Systems of the United States of America defines cyber risk as the possibility of a negative impact on the information security of a company, and according to the “Risk Management Guide for Information Technology Systems NIST SP 800-30”, the focus is shifting to a “threat source” that can exploit a “potential vulnerability » to have a negative impact on the company. ISACA defines cyber risk primarily as an entrepreneurial, business risk associated with the use of information technology.
Domestic standards in the field of cyber risk management consider them exclusively in the context of ensuring information security, which is one of the elements of the general information security of companies, which is especially important for enterprises outside the IT sector, since their business and related information threats are concentrated in other areas, and information technology is seen as an infrastructural element that plays an important but not primary role. Of particular note are such standards as GOST R 50922-2006 “Information Protection. Basic terms and definitions” and GOST R ISO/IEC 15408, which forms the basis for decision-making in the field of cyber risk management, as it stipulates tools and methods for evaluating information systems and products in terms of information security parameters. The domestic system of standards in the field of cyber risk management organically correlates with the international one. So, GOST R ISO / IEC 27001-2006 “Methods and means of ensuring security. Information Security Management Systems” complies with the international standard ISO/IEC 27001:2005 “Information technology - Security Techniques - Information security management systems – Requirements”. At the same time, in Russia, under the auspices of the Federal Service for Technical and Export Control, there is a national system of regulatory documentation in the field of cyber risk management, which contains legal acts, organizational and administrative documents and methodological materials on the technical protection of information.
In this system, they are presented as general documents, for example, GOST R 53114-2008 “Information security. Ensuring information security in the organization. Basic terms and definitions”, as well as documents on certain narrow aspects of cyber risk management, for example, GOST R 52633.0-2006 “Information security. Information security technology. Requirements for the means of highly reliable biometric authentication. The system of corporate cyber risk management in non-IT companies is dynamic and cannot be formed “once and for all”. It is a system of cyclic actions implemented within the protocols established in the organization based on existing regulations and best business practices. This system consists of four large blocks, each of which, in turn, is formed from several nested blocks, provided with technical, organizational and methodological means.
Let's consider the main blocks of the first level, typical for non-IT companies.
1. Fixation (identification, detection) of cyber risk. The implementation of this block is carried out on the basis of the implementation of block No. 4, within which the identification of occurred or potential incidents that can cause damage is carried out. Identification is implemented based on the experience of corporate governance or the operation of other systems, independently or as part of the provision of services by a third party.
2. Cyber risk assessment. The assessment includes not only establishing the possible damage from a potential threat, but also understanding the level of its priority. The information used in this step may also come from your own experience or from a third party. When ranking cyber risks, the method of calculating the mathematical expectation of a random variable is traditionally used, in which the value of a random variable (the amount of damage from the realization of a cyber risk) is multiplied by the probability of a random variable (the probability of a cyber risk).
3. Response to cyber risk. The reaction may be immediate or delayed. Immediate response is expressed in actions aimed at minimizing the extent of damage and the likelihood of cyber risk. The immediate reaction is usually associated with highly probable risks that can cause damage to the organization, far exceeding the costs associated with its relief. It can be expressed in the replacement of equipment or software, changes in protocol (administrative) procedures. It is associated with direct costs and an increase in the total cost of ownership of an information system, including in the category of capital costs. A delayed reaction is associated with unlikely risks, as well as those risks, the damage from which is not critical and is comparable to the risks of the company's operational activities within the framework of "unforeseen" costs, or the costs associated with the immediate reaction (elimination, minimization) are comparable (higher) than the potential damage associated with the implementation of a cyber threat. Delayed reaction is to include cyber risk in the monitoring system and develop action plans to eliminate the consequences if it occurs. Also, the category of delayed reactions includes periodic revision of the assessment of the level of potential damage based on external and internal data on the consequences of incidents. A typical example of such a review of the importance of cyber risk is the change in the attitude of non-IT companies towards DDoS attacks on a corporate website. The possibility of organizing an attack on a business card site is problematic, and the loss of an information site from the Internet space for several days is an unpleasant, but not a critical incident. The situation changes significantly as the site becomes an element of the front office and back office of the company. The presence of an online store on a corporate website significantly increases the ability of intruders to organize DDoS attacks. And failures in the functioning of the site associated with a violation of internal communication (back office) threaten not only the outflow of customers, but also pose a threat to the very existence of the company.
4. Monitoring of cyber risks. The results of monitoring both the internal information space (incidents) and the external one (analytics and technical documentation on topics related to cyber risks) are issued in the form of reports that are sent to the company's management system. It is important that the adoption of many decisions related to the management of cyber risks goes beyond the competence of the management of the information infrastructure and is associated with the activities of top management. Monitoring can be carried out both by internal divisions of the company, and as part of the transfer of business processes to outsourcing.
It was shown above that all blocks of cyber risk management in non-IT companies can be implemented as part of outsourcing. The reasons for deciding to use outsourcing are:
• Lack of staff with the necessary qualifications and the inability to attract them on a permanent basis (especially relevant for relatively small companies);
• the high cost of specialized software and equipment when it is impossible to ensure its full load or incomparability with the scale of the protected area of activity, despite the fact that, in fact, cyber risk is critical and the damage from it can lead to the death of the company, in other words, the cost of organizing self-protection, and potential damages are unacceptable costs;
• the company's management cannot give a correct assessment of the level of cyber risks, which leads to a lack of understanding of the cost justification (this situation is especially relevant for non-IT companies that create new types of business and carry out digital transformation).
Analysts note a different level of outsourcing "depth": from systematic consulting services of an external specialist to the integration of an outsourcer into the company's information system. In the domestic cyber risk management market, the most frequently outsourced services are: IT infrastructure audit; development of corporate regulatory documents (plans, regulations, etc.); incident investigation; work of the monitoring center; training and retraining of personnel; complex support of information systems. Thus, the essay shows the possibility and necessity of using outsourcing in managing cyber risks in non-IT companies.