We unfortunately live in a time when information security professionals can all agree with the statement “It’s not a matter of if you will be attacked, it’s a matter of when.” It is a scary thought from both a personal and business perspective. In the past few posts we briefly discussed a few methods in which hackers use to gain the upper hand against us and a couple overall solutions to fight against it. But you may be in a situation where you don’t know where to start, or you’re not sure if you’ve done enough. This is where proper risk analysis comes into play.
Before we jump into those criteria, you must first identify your key assets. Start by asking yourself, what are the one or more items that if I lost it, or it got in the wrong hands, I could lose my business? Whether those are business files, client files, software, hardware, etc. You need to focus on protecting those items. Once you have identified those key assets, you can then use a qualitative or quantitative (or both) method to identify our asset’s value, vulnerabilities, and potential threats (risk). Once identified, move on to implementing the proper countermeasures to protect against those risks.
However, determining those factors can be very difficult and time consuming. As a business owner, you may think every business file is worth millions, even your contact list, but remember that this analysis is purely business. You must have that mindset when determining an asset’s true value. Once you know its value it is time to find its vulnerabilities. In the case of data files or a software system, you will most likely need to seek professional help to perform a security assessment to get full details about your asset’s vulnerabilities. These professionals can also help you determine the potential threats against these assets using that very same information.
So far, you have outlined our risk to each asset, now we need to figure out what to do about them. You can remove the risk; maybe your vulnerability assessment results showed that an old windows XP machine is your only (current) risk, so you remove it from your network and replace it with a newer machine. You can transfer it; this is most commonly done with company websites being hosted by a third party, in which they now take on all the risk of running a website. You can accept it; you do this when you remove full coverage insurance from our vehicles, accepting all future damages to your cars as your responsibility. Or you can minimize it; this is where you put in counter measures such as a firewall, anti-virus, or encryption to better protect your network and its data.
Whichever you choose, it must make good business sense. To use the car example again, you wouldn’t invest $2000 on a new alarm system if the car is only worth $1200. So get to know what your true assets are, what they are worth and the potential threats against them. Once you do, you can take all the proper steps necessary to protect your assets at a cost that makes sense to your business.