Risk Management: Understanding What’s
Important to You and How to Protect it
by Chris Steffen, Research Director, EMA
There was once a popular myth that if you were a small enough company, you were less likely to be a target for the bad guy hackers that troll the internet searching for their latest victim. While that was never really true, it is even less likely now, since automated attacks and bots have made it exponentially easier for the bad guys to go after whomever displays the easiest path of attack – big, small, any vertical, any business…EVERYONE is a potential target.
Risk management was something only the largest companies could justify the resources to deploy, but technological advances have made it a critical component of every company’s security strategy. Even companies that can’t afford dedicated security staff can still deploy best-in-class risk management solutions to defend them against zero-day attacks, ransomware, and a variety of other incidents that could detrimentally impact their most important processes and assets.
To start on your risk management journey, consider a plan that contains the following parts:
- Identifying and Classification – Getting a handle on the risks to the company. It is critical to create a comprehensive list of assets and processes so each can be properly evaluated for risk and importance.
- Evaluating and Analyzing – After the potential risks have been identified, they must be evaluated and analyzed for their impacts and importance. There are plenty of methods and strategies for risk scoring, and finding the right method of analysis and evaluation is important – it could be as simple as “low-medium-high” or as complicated as a multi-control scoring system, based on a myriad of factors.
- Testing and Mitigation – Once the risks are evaluated, the controls that mitigate that risk should be tested for efficiencies. There is also an opportunity to determine that accepting the risk based on testing and evaluation is an acceptable outcome.
- Monitoring/Managing – After the testing is complete, a system must be developed to monitor those controls for effectiveness and manage new/existing risk factors.
I’ll be discussing these strategies during my February 24th webinar, How Well do You Measure Up on the Cyber Hygiene Meter? Best Practices to Avoid Ending up in Tomorrow’s Headlines, if you would like to learn more.