Manage risk and threats
Take a proactive approach to risk management to mitigate impacts to your business.
Whatever the size or nature of your business, proactively taking small steps towards better risk management will help secure your business for future success.
Protecting your assets is essential. But, the threat landscape is diverse and ever changing, and understanding how you may be at risk, and who from, is necessary before you can develop measures to reduce their likelihood and impact.
This service is being trialled and the content is under review. Help us improve it by giving your feedback.opens ditresearch.eu.qualtrics.com in a new tab
There are some key elements to proactive risk management:
- security governance: knowing who is responsible at a senior level
- asset-centred risk management: protecting your critical assets in a robust way
- Securing your supply chains and partnerships: considering third parties in your risk management process
- Incident management practices and procedures
This page outlines below 3 stages to proactive and effective risk management. Make use of the specialist guidance linked for more detail on how to put this into practice.
Identify assets and threats
- Identify assets critical to your business success and operations. These may be physical products, data, personnel or other systems.
- Categorise assets in relation to their criticality to your business, so you can put in place an appropriate level of risk mitigation.
- Identify the threats to your organisation - these may be physical or cyber, local or national, and may change over time. Relevant threat information can be obtained from various sources.
Useful resources
- NPSA Asset Identification Guide
- NPSA Asset Cost Estimation Tool (ACET) helps businesses estimate the cost of losing a critical assetopens www.npsa.gov.uk in a new tab.
- Countering state threats informationopens www.mi5.gov.uk in a new tab
- Heightened cyber threat informationopens www.ncsc.gov.uk in a new tab
Assess and record risk
- Assess your risks. Risks are identified threats or vulnerabilities, linked to assets. Most organisations have preferred methods for risk assessment, but typically this involves assessing both likelihood and potential impact of a threat materialising.
- Build a Risk Register. Record data collected through previous steps into a risk register. The format can vary, but it should capture sufficient detail so senior leaders can make informed risk judgements and effective mitigations can be developed.
Useful resources
Develop measures, implement and review
- Starting with highest priority risks, stakeholders should review existing protective measures. Where mitigations are judged inadequate, put in place a range of personnel, cyber and physical security control measures to reduce your vulnerability.
- Accept that you cannot protect everything, but aim to build a prioritised list of measures across disciplines and linked to technical guidance needed to implement.
- Risk management is cyclical and reviews should be conducted regularly or when significant changes occur, for example a change in threat or operational environment.
Useful resources
Case study: combining mitigations to limit risk
A small UK communication company had a number of contracts to produce sensitive technology for government departments and private UK industry. The company was approached by a foreign investor.
Following a risk assessment, several mitigations were agreed which would protect the company's technology, reputation and chances of securing future government contracts. This included:
- compartmentalising the company's most sensitive projects
- ensuring effective IT arrangements were in place to audit access to the sensitive information
- granting access only where necessary, and to individuals who had had the appropriate security checks
- identifying a board-level owner of the risks associated with the transaction
These mitigations were agreed and fully implemented prior to the part-sale of the company.
Case study: external threat and insider risk
It was reported in August 2020 that criminals had attempted to pay a Tesla employee to install malware at one of the company’s factories. The malware would reportedly exfiltrate data and extort ransom money.
The FBI arrested a Russian national for attempting to “recruit an employee of a company to introduce malicious software into the company’s computer network”. The plan was thwarted when the employee reported the incident.
The threat of criminals recruiting an insider to exploit their physical access is not new and can be used to facilitate cyber attacks. This incident demonstrates the interconnected and reinforcing nature of personnel, physical, and cyber security. Integrating all three is essential to effective mitigation measures.
The Need for a Joint Approach to Cyber and Physical Securityopens www.s-rminform.com in a new tab
Get support to stay secure
The Secure Innovation Security Reviews Schemeopens www.npsa.gov.uk in a new tab helps businesses to identify and manage key security risks, including those linked to state threats, and to integrate protective security into business strategies. Conditions and eligibility criteria apply.
Last updated: