Taking risks with information
Monday 25th September 2017
Assessing information security risk as a quick self-help guide - don't know where to start, how do these work, or is it that hard?
We in the Information Security community often create a language that only we understand, and if people don't get it we believe that they really need help, so "buy my specialist elitist skills, blah, blah"
Security needs to be ubiquitous throughout a firm, and not every InfoSec skill is the reserve of us specialists. Take for instance Risk Assessments; these can be done with minimal training to a medium degree of usefulness....at very little cost (to do a really good one will take some investment though and usually involves getting someone like us in).
The elements of an Information Security Risk Assessment are:
- a list of the information to be protected
- the things that might go wrong with it/them, and how those bad things can happen
- the impact on the business if those things go wrong
- how much loss or wrongness can you tolerate?
The business diligence bits here are understanding what information you rely upon or hold, then knowing what the impacts are if things go wrong.
The really skilled bits are understanding how those bad things can happen, how likely, and subsequently what you can do about it.
As a business owner, it really is worth creating a catalogue of information at the level of "big lumps of it,"? For example;
- my accounting ledger
- the CRM database
- manufacturing records
- my special intellectual property
- personnel records
- customer data
- etc, etc
Then look at the things that might go wrong at a big level and apply it to each type of data:
- it's been corrupted so that I cannot use it (e.g. computer messed it up, I've deleted it or Ransomware)
- someone else has received or stolen a copy of it (e.g. by a hack, accidental emailing the wrong data)
- for some reason, the data's been changed by something and I can't rely upon it being right anymore (e.g. someone's messed up and changed something in my data)
Finally, look at the impact on the business as big lumps of business risk, such as:
- I'll lose a lot of customers due to trust or being unable to service customers
- I might get fines from Regulators
- I don't know where the money is going any more as my records make no sense
- I can no longer operate my company
Once you've created this list, then it gives you something to get your teeth into to start to reduce that risk.
Remember when doing a risk assessment that not everything that can go wrong is due to a malicious hacker in Russia. Far from it: many things go wrong due to equipment failures, contractual disputes, people making mistakes, fires and floods, bad filing or slack change control.
As ever, if this is something that you want to do and are still nervous about starting - look no further and get in touch.
If you know someone else who would be interested in this then please share!