Globalization, cloud, hacktivism — all add to the changing landscape of modern business. The opportunities, threats and associated risks are personal to individual organisations. But how do you determine which risks are applicable to your business? And once you know what risks you’re facing, what can you do?
PMVista's Risk Management Guide gives a comprehensive list of the 13 categories of risk facing businesses today. Consideration to each will allow you to holistically assess the level of risk to each category of your business.
Follow these 6 steps to learn how to effectively mitigate risk in your business by assessing your level of risk in each category.
1. Assess the real business risks and reduce them to an acceptable level.
When you have 13 categories to assess, it is easy to identify several risks which, although legitimate in themselves, may not be real to your business. In order to address this, we must look at more detail on what “risk” is.
Wikipedia defines “IT risk” as “Threat * Vulnerability * Asset Value.” To this we need to add “likelihood.” An example of a risk that is likely to happen could be car accidents. The likelihood is that at least one will happen daily—the impact can range from a little bit of bodywork, to millions in compensation. So serious can be the impact of this risk that the government requires motorists to take out insurance to mitigate this risk. In another example, the likelihood of water pipes freezing in India is very low, so a global water company would probably accept this risk yet apply protective measures to their pipes in Iceland. So when assessing risk, be sure it is real to your business and the costs associated in reducing it to an acceptable level are reasonable in proportion to the potential loss.
This table shows a simplified view of assessing Likelihood against Impact. For more complex environments, you may want to have a more fine-grained approach. Measuring the likelihood of the risk occurring against the impact it will have on your business will help focus your efforts on the ones that will cause most damage to you.
2. Don't restrict access to information, but make it securely available.
Information security, for me, has been about making the correct infotmation available to authenticated and authorised people. Too often information security is seen as a barrier to getting on with business. With the introduction of security technologies such as IPV6's point to point encryption; Trusted Platform Modules in end-point devices; and authentication from user, device and servers we can provide access to information where and when it is needed to those with justified access. With the rapid expension of the use of cloud platforms, it is more important today than ever that we have the right protection in place to give users and businesses the confidence and trust to take advantage of the benefits these solutions provide.
3. Ensure you have the right approach to information security risk assessment and risk exposure for your business.
Every business is unique and requires an approach that reflects the corporate attitude to the risks facing it. As in life, risks can change with time. For example, pension plans often take a higher tolerance to risk during their early days in order to maximise the opportunity for profit, but towards maturity, the pension fund investments move to safer options, such as bonds and cash balances to protect the assets’ value.
HP Security Discovery Workshops can assist in ensuring you are applying the right approach to your particular risks and help discover how the latest developments in cloud, BYOD and mobile data management can be used to develop the solution that’s right for you.
4. Go back to basics to successfully evaluate the security risks.
Getting back to basics will help you keep you risk assessment real. A pure mathematical approach may demonstrate that a particular mechanism will reduce your risk level to what appears to be acceptable. However, the introduction of likelihood we used above can give a more realistic view. An example I saw in the real world was where a pure mathematical approach demonstrated that sending information by CD in the post was preferable to sending it as a file over an internet connection. Both used strong encryption and chain of custody; however, the CD method had a higher likelihood of being lost in transit (possibly leading to an article appearing in a newspaper over data loss) than the file being lost or intercepted across a secured internet connection.
5. Analyzing risk is the road to developing your information security management strategy
Once we have assessed the risks, how do we know the best way of handling those risks?
There are 4 basic options to handling risk:
We accept risks when the cost of handling it outweighs the costs of the risk being realised and we wish to proceed despite the risk—as the rewards in doing so are worthwhile. If the costs of mitigation or transference are such that it is still practical to proceed, then we will spend enough to reduce the risk to an acceptable level. If none of these options are appropriate, then we could choose to avoid the risk by not proceeding or changing direction.
HP Security Analytics provide a great way to model your risks and the mechanisms available to handle them. By analysing the effects of spend in one area, it can demonstrate the effects on your overall security posture. For example, it can show whether it would be more effective to spend money improving patching, or upgrading your anti-virus products for your business. It follows the process of modelling—experiment with “what if” scenarios to provide a detailed analysis of the most cost effective solution for you.
See HP Security Analytics for more information on how to make better decisions when creating a more secure environment for your business.
6. Ensure that you are compliant with your legal, regulatory and business requirements.
There are so many standards, regulations and legal requirements placed on businesses that it is difficult to keep track of the changes. They all aim at protecting your customers, the market place that you operate in, and often provide protection to the future viability of your business by creating a level playing field. It only makes economic sense to invest in security if your competition is doing likewise. The 3-step approach I like to take to this challenge is:
- Ascertain which requirements apply to the business.
- Assess the commonality between the different requirements.
- Create a system that assesses each requirement only once.
Automating the collection of this evidence can allow for continuous compliance—reducing the burden of responding to audit requests, as these can be performed as and when required. HP Server Automation software can provide an integrated solution to automating server operations and demonstrating compliance.
These 6 steps, when followed in a conscientious manner, will help you to mitigate risk in your business, as part of a holistic approach to risk, HP’s Security Intelligence and Risk Management Services can help you:
- Assess risk, plan secure applications and implement security practices
- Improve security, reduce risk and comply with regulatory requirements
- Reduced operating costs, identify vulnerabilities and resolve issues rapidly