Data breaches, foreign hackers and corporate espionage: today, it seems that phrases like these are on the tips of every tongue, and not without good reason. As digital literacy, Internet access and affordable technology scale with global penetration, the knowledge and skill of attackers is increasing as well. Organizations both public and private are right to be concerned about these risks.
At the same time, “risk” is a broad domain, and while it might seem that we are facing more of them today than ever before, it remains true that the greatest risks to an organization originate from the inside. From mundane eventualities like power surges, to human error or malicious sabotage, any and every vulnerability within an organization constitutes a “risk”.
While individually a single risk may not amount to much, collectively risks represent a danger that can seriously obstruct – if not destroy – an organization and its mission. But with so many to worry about, how can they be anticipated and successfully prevented?
How to Define Risk
“Risk” is a measure of likeliness that a vulnerability in a system or asset will be exploited leading to adverse effects, and the probable impact of those effects. Impact may be measured in financial loss, operational obstruction or human capital.
The existence of vulnerabilities in any given system or asset can be taken for granted. All technology is flawed in some way, or risk would not exist. While most vulnerabilities are benign, obscure or inert, some are always serious enough to be targeted by threats.
Today, companies face many threats from the outside, including attackers, malware, foreign governments and APT groups. But they face many more from the inside, from malicious employees, to deprecated equipment, human error, poor coding and mishandling of data.
Fortunately, there are many methods to prevent threats from succeeding, and respond when they do. But organizations focused on prevention or remediation cannot skip the discovery process. Before risks can be dealt with, they must first be identified, measured and assessed.
The Role of Risk Assessment
A risk assessment is the controlled, systematic identification and documentation of existing risks, likeliness of occurrence and probable impact. A professional risk assessment will follow careful methodology to ensure that nothing is overlooked, and that remediation is prioritized according to severity.
The purpose of a risk assessment is not merely to prevent risks from occurring, but also to establish a suitable response that will mitigate damages if they do occur. Risk assessments therefore inform organizational policies, providing an objective, quantifiable basis for regulation and best practice.
IT infrastructure and assets change with time as old equipment is discarded, new equipment is acquired, and configuration changes are made on a regular basis. Moreover, the availability of knowledgeable and skilled personnel may change with new hires, transfers or retirement.
For these reasons and many others, risk assessment should be repeated on a regular basis as part of an organization’s overall security and auditing cycle. What held true yesterday will not necessarily hold true tomorrow.
The NIST Framework
The National Institute of Standards and Technology (NIST) publishes a risk management framework for federal agencies, partners and contractors, and maintains the Framework for Improving Critical Infrastructure Cybersecurity (SP 800-30).
NIST’s guidelines for conducting a risk assessment establish six broad steps:
- Identify Threat Sources
- Identify Threat Events
- Identify Vulnerabilities
- Determine the Likelihood of Exploitation
- Determine probable impact
- Calculate Risk as Combination of Likelihood and Impact
Other standards bodies follow NIST’s framework closely in their own publications, making it a de facto industry standard for conducting regular, thorough risk assessments as part of an overall risk management program.
Simplified, Productive Assessments
Risk is inevitable. It is a consequence of using technology and systems built by people in a world populated by people, some of them good, some bad, and none perfect. But being caught off guard is not inevitable. And when a breach, attack or system failure hits, those who are prepared will suffer the least and recover fastest.
Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our Risk Assessment framework.