Back to Cybersecurity Basics – Part 4: Information Risk Management
With every decision we make, be that at work or at home, we are constantly, be that consciously or subconsciously, undertaking a risk analysis.
I have a 3-year-old son who has a slight cold. Yesterday he wanted to go to the park and I had to subconsciously undertake a risk assessment based on whether him going outside would impact his health. During this risk assessment, I had to decide how likely it was that taking him to the park would result in him becoming ill and what impact that would have on him….and me!
As it happened, the risk wasn’t too great and much to his delight he spent a good hour swinging, sliding and generally running around like a maniac.
This is just one example of me subconsciously managing a risk, and managing Information Risk in a corporate environment works in much the same way – albeit in a more conscious, structured way.
It’s impossible for a company to grow without accepting some sort of risk. For example, if a business wants to grow their team and employ somebody new, it doesn’t matter how stringent their recruitment process is there will be an element of risk involved.
Information Risk is concerned with how organisations collect, manage, secure and use the data they hold. Remember different departments, and teams within those departments will have their own way of doing this.
The first step towards managing this risk is understanding what information assets you have that need to be protected, and how this information is used. Once you know this you can start to investigate how your assets can be compromised. This will allow you to start thinking about what you need to do to protect them.
There are generally 3 categories information risk is placed in –
Confidentiality – Ensuring only those who have the right authority to access sensitive information can do so.
Integrity – Ensuring the completeness and accuracy of data.
Availability – Ensuring the correct information is available to those with the right authority at the right time. This is particularly important within the NHS where people’s well-being is at stake.
As with any business decision, you must ascertain what the risk is, what the impact on your business will be and how likely it is the risk will occur. Once we understand this we can make informed decisions on a risk vs reward basis and decide whether the risk is acceptable.
Not my Problem
Despite the fact we’re talking about data and information, Information Risk is not the sole responsibility of IT. It is the business that must decide what is an acceptable risk and what isn’t. Some businesses may do this by creating specific outcomes for different levels of risk.
Once decided, this must then be communicated to departmental heads and if appropriate line managers who have a better understanding of what data they work with and what specific risks are associated with that data and how they use it.
Once this is understood the various departments, alongside their InfoSec colleagues, can identify the possible causes of negative outcomes and understand how likely it is these outcomes will occur and what the impact could be. These risks should be reviewed regularly, and any necessary amendments made.
According to the National Cyber Security Centre…
‘Managing risk is not a one-off activity. In order to make sensible decisions about what you are doing to protect the things that you care about, risk needs to be managed all the time, and must be integral to what you do.’
This means that as well as security by design, organisations must also consider implementing risk management decisions into their day to day work.
As this risk information is fed back up the chain of command it can lead to conflict between Information Risk professionals and Boards as their priorities clash.
This was evident through a comment made by an Information Risk professional at a large FinServ organisation…
‘One of the main problems I have with the traditional asset identification risk assessment cycle is that it’s weighted heavily in favour of the organisations perspective. If I had a quid for every time I heard, “they’re the businesses risks…” and so the business assesses what it thinks are the main dangers to its assets. It’s usually never well informed about the stance the attackers have. All of them, disparate, differently motivated with different capabilities, resources and focus.
Organisations have got to evolve their attitudes to risk and properly understanding the threat *and specifically the threat to them* is lagging.
Managing information risk is a fine balancing act between the needs of the business and the need to be secure, however as we are now consistently told data is a company’s most valuable asset and securing this MUST work its way up the priority list of Boards. CISOs and their Cybersecurity colleagues have a difficult job on their hands to convince their colleagues of its importance as there is still much work to do.
It’s important to remember that there will be limitations to your risk management approach and you must continually look at how you identify, analyse, assess and manage risks to understand what improvements can be made.
Getting Information Risk Management right, is going to be even more important as we progress through 2018 and the cost of getting it wrong could be substantial.