XOGENT

View Original

Minimize Risk and IT Security Threats

Impact x Likelihood = Security Disaster for Your Business
You’ve no doubt been reading about potential IT security issues and how they can affect small businesses. While much of what has been written is helpful we thought it more appropriate to give you guidance on how to gauge the impact of an ACTUAL security risk for your business.

To determine IT security risk in a business, be it with a piece of hardware, software, or even a lack of business process, we ask two questions:

  1. “What would happen if this were breached?”

  2. “What is the likelihood of breach?”

Our overall risk is weighted against both of these questions. For example, if someone stole a hardware switch from your networking infrastructure it may cause the entire business to go dark. However, the likelihood of this happening is close to zero. In this case, impact x likelihood tells us that there are more important areas in which we should be focused when it comes to IT security. To determine true risk, we should analyze the impact of an IT security breach versus the likelihood of it happening.

Inherent Risks In Any Organization
There are inherent risks in any organization. If you look at financial risks, then we should consider the loss of data or equipment and the cost of replacement. If you look at reputational risk then you are considering what happens when the market realizes your IT security systems have been breached (and their data is now just floating around on the internet). Just ask Equifax about this one. 

We also must consider regulatory risk. For example, what happens when you are not compliant with the California Consumer Protection Act (CCPA)? Are you going to get fined? How much will you be fined (hint: It depends on how bad the breach ends up being)? The risk of losing health data carries significant fines. We’ve seen fines for health data in small businesses range from $50,000 to $250,000. 

Then there's operational risk. What does it cost your business for computer systems to be down while you are busy responding to a security breach? Numbers vary greatly but we would argue that you can't live with any operational loss because it is so easily remedied given the right preparation. 

Risks Specific to Your Organization
When we look at specific businesses we want to determine what it is about your business that represents an IT security risk.

  • Is your computer hardware out of date?

  • Is your software being patched regularly for security holes?

  • Is there a loophole in your business process? 

  • Do you have policies that govern risk? 

  • What happens if someone steals your data, but you have no policy for data governance?

  • Does the lowest level employee have access to all of your information? 

These are the types of questions that need to be addressed when determining what the actual risk to your business is in each of these systems. If you’ve already done this, great! But it’s still not going to eliminate 100% of the risk. Nothing will, but the good news is that getting to a state of 100% security is not the point. The point is to reduce as much risk as possible so that your organization is a more difficult target than the next one. There is always a risk of being breached. The question is, how much of that risk are you willing to take? 

Prioritizing Your Efforts and Dollars
An IT security assessment will help you prioritize all of your risks and then determine where to expend effort and dollars. For example, were you thinking about spending money on updating a firewall component for better reporting as opposed to all of your network switches? That’s probably a wise decision because the likelihood of a switch being hacked is fairly small. However, the likelihood of someone trying to penetrate your firewall is very high. 

Inherent Risk and Residual Risk
When thinking about the results of an IT security assessment, componentize your thoughts into two areas: inherent risk and residual risk. Inherent risk is the default. This is the risk associated with not taking any action. It’s the “do nothing” risk. The residual risk is what is left after you have taken action associated with mitigating security issues. For example if you took steps to mitigate risk that involved updating business process and policies you are going to have less residual risk after mitigation. 

It’s important to consider that the residual risk will always be there. Once you have determined your IT assets and associated security risk then you can start developing a data governance policy that speaks to exactly what needs to be protected and how. This means you will have a risk management strategy in place. And that puts you ahead of most other organizations in your industry.

XOGENT is a full service IT security firm that can help you develop the controls, policies, mechanisms, and processes that help protect your organization from attack and limit the damage should a breach occur.