Steps for conducting a risk assessment
Compromised business functions usually result in losses. If your business sales an average of $1000 an hour and your sales system goes down for 2 hours you experience a loss. A loss in this instance includes $2000 worth of sales, plus the cost of the repair, plus the cost of future revenue lost. Customers that were lost likely won’t return or make referrals, this makes up future revenue. Not to mention potential referrals lost. This is why conducting a risk assessment is a good idea.
Let’s start by defining risk as the likelihood that a loss will occur. This happens when a vulnerability is exposed by a threat. Many tools exist for conducting risk assessments, but we won’t cover those here at the moment.
First step is to identify all components of your network. This includes hardware, software, data, services, and IT infrastructure. Employees or system users should also make up part of your audit. We include them due to the potential of social engineering attacks. As I mentioned before, there are tools that allow you to scan a network and find resources on it. Depending on the one you choose, you might get just a list of hardware, or it might include the software installed on the component. Some can generate reports on user accounts as well. These can be useful in finding active accounts that should be deactivated. An account that hasn’t been used in over 30 days likely belonged to an employee no longer with the company that someone forgot to deactivate for example.
Nmap is a good free open source network scanner useful in getting a network inventory. It makes a nice network assessment tool as it will list the devices on your network, the number of open ports, and operating system on each device depending on the type of scan you run. However, there are paid options that offer much more in terms of reporting and functionality.
Identify risks to manage
You need to decide to either avoid, transfer, mitigate or accept risk. The decision should be based on how likely the risk is to occur, and the impact on the organization. Remember that your risk assessment is meant to identify all risk, not just those from malicious actors. Your network and data can be lost to an earthquake or flood for example.
Avoiding the risk – If certain processes or devices are of high risk, you may choose to completely remove them from your business. An example would be storing credit card information. You may choose not to store the CC information for automatic billing and instead send out automatic invoices.
Transfer the risk – It’s common to transfer risk in many aspects of businesses. You can transport expensive equipment yourself and risk it being damaged if there is an accident. However, you can transfer the risk by hiring a transportation company which assumes the risk and is liable for the equipment. In an IT environment, it’s common to outsource certain projects or parts of a project to an outside party. The other company assumes the risk of an error in the implementation.
Mitigate the risk – A Risk assessment is useless if you can’t mitigate it. Controls will allow you to mitigate, or reducing risk. For example, training people against threats. Informing your personnel about the risk involved with plugging in an unknown USB drive may prevent breaches through the use of such methods.
Accepting risk – Opening a web store to sell online is accepting the risk of an attack. The profit margin from online sales in this example outweighs the risk of an attack. Hiring someone with years of industry experience that may not be very computer savvy. There is a risk the person may accidentally delete important documents or cause other issues on the network. However, the person’s industry knowledge and experience are of higher value than the time it would take to recover documents from backups so it’s worth the risk.
Select your controls
Identify and select your control methods (countermeasures). For each of the identified risks you chose to mitigate, decide how to address them to minimize the impact and reduce the vulnerability. Some of control measures may be software based, like an anti-virus, or password managers. Hardware controls like multi-factor authentication cards or keys, or policy based (written or server side policies)
Implement and test your controls
Implementing the controls is likely the hardest part of risk management. It involves coordination between the IT team and management. Rolling out new solutions like password managers involves training employees. It also involves working with management to see how you want to manage the password controls as well. Implementing server side policies that prevent users from completing tasks may affect productivity and if done incorrectly will lead to lots of support tickets as well. Once implemented make sure to actually test the controls to ensure they do what you intended them to do.
Evaluate your controls
Risk management is a never ending process. That’s because the controls may work at the time of implementation. But changes to your network, new technologies, and new attack vectors may prevent them from working in the future. Performing regular assessments is the best way to evaluate your controls.
If you need help conducting a risk assessment or are looking for an independent audit of your systems, give us a call for a free quote.