Without a complete and thorough risk assessment including all its component parts, you might as well open all your data assets to unbridled exfiltration via Port 80 without any security checks at all. In the end, attackers and criminal digital profiteers will get what they came for in either case.
Defending risks without knowing what those risks are is like playing a round of paintball with your eyes closed — you’ll keep missing your opponent. A risk assessment gives the enterprise a specific, more finely narrowed field of targets for which to aim.
We take a look at some steps you should use on the way to protecting data assets and stores in your enterprise.
Outlining risk assessment particulars
An IT risk assessment involves progressive steps that ensure a proper evaluation of your IT risks and their severity to your organisation. According to M. Scott Koller, counsel at BakerHostetler, these steps include: evaluating data and systems; identifying risks to those systems; evaluating those risks for likelihood, severity, and impact; and identifying controls, safeguards, and corrective measures.
Tools for evaluating your data and systems can include network maps, system inventories, and data audits of collected and stored data, explains Koller. These go beyond simple understandings and high-level views of topologies to encompass your core network(s) with all their servers, switches, routers, hardware, software, and services all the way out to our network edge, gateways, and endpoints, with all their incumbent data, accounting for everything that is or resides within your network. You can’t tally all your risks unless you measure them against all your network assets that could be at risk.
To pool a current and meaningful list of real potential risks to your systems and data assets, consider including a manual empirical phase in your overall approach for measuring IT project risk: take a census of the risks that concern your stakeholders and team members most, making sure to address each system and all data; validate the list and remove any real duplicates; and identify risk types. In other words, whatever else you do to compile a risk list, make sure to simply talk to your people. Any number of them may have seen something new that has escaped inclusion among previously identified risks.
There are also tools that can help the enterprise to identify specific risks. There are tools in the category known as data infrastructure / advanced data analytics that provide a holistic view of real-time situational awareness and a common operating picture of virtually any asset, system, operation or facility to anyone in a vendor-agnostic fashion, operating at near limitless scale, says Steve Sarnecki, Vice President, OSIsoft. IBM and PwC are two more vendors offering products in this category. In this category, there are tools that can cull risk information from enterprise assets to help identify risks.
Metrics and corrective measures
To create a visual metric of the likelihood and severity of the risk, simply rate each risk from one to 10 or one to 100 for its likelihood and then again for its severity. Use the two numbers to plot the risk as a resulting dot on a line graph using X and Y axes. The dots that concentrate in the upper-right corner inside a square that is one-fourth of the whole line graph will comprise the top 25 percent of your risks. These Google Image search results will help to give you an idea of what different sources have developed.
To assess potential impact, remember that impact reaches far beyond financial measures. Look to your organisation’s own history of realised impact. Look at news coverage and IT industry analysis of the realised impacts of organisations in a similar position to yours. Ask your stakeholders about the kinds of impacts that leave them restless.
To identify more controls, safeguards, and corrective measures to enact to mitigate risks, look to industry best practices with a history of success. NIST offers a resource with ample discussion of controls. SANS offers a list and discussion of controls.
“For example, a safeguard that you can implement to reduce the potential risk of a ransomware infection is to update your anti-virus software. You then re-evaluate the risk after implementing the safeguard to determine whether you have sufficiently mitigated the impact and probability of the risk. If not, you should repeat the process,” says Koller.
Level setting results and expectations
Risk assessments won’t eliminate risk but rather should reduce them acceptably. Going back to ransomware as an example, residual risk remains that the anti-virus software won’t prevent the ransomware infection, says Koller. “An organisation must weigh the risk associated with that event with the probability of occurrence and the potential costs associated with additional safeguards,” says Koller. If anti-virus doesn’t do enough, the enterprise may consider adding additional protections.
An enterprise should address the greatest risks, those with the highest likelihood, severity, and costs, first. Without the information that a risk assessment provides, the enterprise cannot adequately protect its data.
For some enterprises, these resources are a reminder of a roadmap, a refresher course on the elements of a risk assessment, and good for sharpening your next gaze into assessing risks. If not, and there’s something completely new here for you, you may want to consider moving up the data on your next evaluation of real risks to your enterprise data.