Will there ever be a time when organizations can predict and pre-empt cyberattacks before they take place? Such a utopia would need threat intelligence systems powered by deep learning. So for now, every organization should assume that someone will definitely attack them, and prepare accordingly.
However, a recent survey suggests that close to 70 percent of organizations are not prepared for a cyberattack.
Kevin Mitnick, arguably the world's most famous hacker, says, "You can never protect yourself 100 percent. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk." The ever-presence of risk makes performing IT risk assessment critical for businesses.
To perform an effective data security risk assessment, organizations must:
1. Identify all valuable data assets
The best way for a company to identify which data assets are valuable is by understanding the nature of their business. Companies should ask themselves how they generate revenue and profit – identifying the data that is critical to their day-to-day operations. Companies should consider things such as client contact information, product design files, trade secrets and roadmap documents as their most important assets. Regardless of the type of data companies identify as critical, it's necessary for them to understand how all of this data flows in their networks and identify which computers and servers are used to store this data.
To best protect these data assets, companies need a central risk team. In small and medium sized businesses, this is often made up of top executives. For larger enterprise companies, a hybrid model of risk management may be needed, where each functional head can be assigned as the risk owner for their department's function.
2. Estimate business impact due to loss
Risk and impact assessment go hand-in-hand. For each valuable data asset, organizations must estimate the corresponding negative financial impact of a compromise or loss. Apart from direct costs, loss estimates should also include intangible costs such as reputational damage and legal ramifications. A common format for documentation must be used across teams for uniformity.
3. Determine threats to the business
A threat is anything that has the potential to cause harm to the valuable data assets of a business. The threats companies face include natural disasters, power failure, system failure, accidental insider actions (such as accidental deletion of an important file), malicious insider actions (such as a rogue agent gaining membership to a privileged security group), and malicious outsider actions (such as phishing attacks, malware, spoofing, etc.). Each company should have its central risk team determine the most probable threats and plan accordingly.
4. Analyze vulnerabilities
A vulnerability is a weakness or gap in a company's network, systems, applications, or even processes which can be exploited to negatively impact the business. Vulnerabilities can be physical in nature (such as old and outdated equipment), they can involve weak system configurations (such as leaving a system unpatched or not following the principle of least privilege), or they can result from awareness issues (such as untrained staff). Similar to determining threats, analyzing vulnerabilities is also best completed by the central risk team. The team may find it helpful to use scanning tools to perform a thorough systems analysis, and penetration testing or ethical hacking techniques could also be used to delve deeper.
5. Establish a risk management framework
Risk is a business construct, but it can be represented by the following formula: Risk = Theat X Vulnerability X Business impact.
To reduce risk, IT teams need to minimize the threats they're exposed to, the vulnerabilities that exist in their environments, or a combination of both. From the business side, management may also decide to evaluate the business impact of each data asset and take measures to reduce it. The central risk team must assign risk values of high, medium, or low for the potential loss of each valuable data asset.
Using this process, a company can determine which data asset risks need to be prioritized. This is a highly-involved process and must be done carefully. Once completed, a company should come up with solutions or redressal for each identified risk, and the associated cost for each solution.
After a framework is in place, companies should determine what level of risk they're comfortable taking. Do they want to address all the risks or do they only want to address risks identified as high? The answer to this question will vary from company to company, and the estimated total cost of the solutions, along with projected return on investment, will have a huge bearing on the risk appetite.