When it comes to securing your business from cyber threats, you have limited time, money and energy to spend, so where do you begin? To answer this, you need to assess the risks to your business, and focus on the higher risk areas first.
Risk management is about considering what events can occur that will have a negative impact on your business, and seeing how likely it is that these will occur. Events to consider would include fires, malware attack, general computer failures & breakdowns, break-ins and theft. Consider also the Insider Threat, that is staff members not acting in your best interests, or maybe snooping through files they shouldn’t be, or actually stealing/altering files.
A few years back, a senior Network Admin working for the City of San Francisco locked down the new computer network he had being building for use by police, fire responders and city officials and admins. Consider also the case of Edward Snowden, who leaked the contents of NSA confidential documents when he became concerned about the breaches of privacy being committed by the government agency.
Come up with random events, anything and everything you can think of. The key is to assess them all so you can make a decision on where to spend your energies.
Risk is measured by considering two factors: how likely is a particular event to happen to us, and secondly, if this event happens, how much will it impact our business?
A common practice is to score each of these factors from 1 to 5, with 1 being highly unlikely/low impact, and 5 being extremely likely or extreme impact. If you don’t know or cant estimate the likelihood or impact of a malware attack for instance, it would be helpful to get expert input to assess your environment and provide a more accurate assessment. Involving an expert will lead you to more beneficial conversations on what steps you need to take next.
Multiply Likelihood by Impact to get your Risk Score.
What you are measuring initially is the Inherent Risk, that is the risk of an event happening and impacting us given our current level of preparedness. Once you do this for each of the events you have identified, you are in a position to spot the greatest threats to your business and where you should focus your efforts first.
The next step is to identify the actions to take to reduce your risk. Again this is where getting expert advice can be beneficial, as you want to get maximum benefit from the time and money you invest.
Once you have completed the remediation activities, or during the process, you measure the levels of risk again. This is called Residual Risk, and is recognition of the fact that there is always going to be risk in our lives; you can never be 100% sure that an event will not happen nor impact you.
Score each of the events again to see if they have reduced in line with the level of risk that you would be comfortable accepting, also known as your risk appetite. While it can be tempting to continue reducing your risk levels, the costs must not outweigh the benefits gained from increased security.