It’s clear that security threats are on the rise so for companies with concerns, a Risk Assessment is the first step in mitigating threats. Just hours ago I received a phishing attempt to access my Apple ID via a spoofed Apple email address with a link to a server in Georgia, and I don’t mean Atlanta.
Let’s say you haven’t performed a Risk Assessment and one of your fellow employees clicks on that link and puts in their Apple ID and Password. What valuable information can be lost? Say that email doesn’t look like its coming from Apple but rather your Network Admin or a cloud based service you use like Salesforce.com? What proprietary data is at risk? How much will it cost your company? If you want to look at things more personally the ‘what about my job?’ question is fair to ask yourself as well.
In order to answer the questions above thoroughly you’ll need to have a Risk Assessment performed. This way, when it hits the fan you’ll have an idea of what exactly needs cleaning.
There are four parts to any good risk assessment and they are Asset identification, Risk Analysis, Risk likelihood & impact, and Cost of Solutions.
Asset Identification – This is a complete inventory of all of your company’s assets, both physical and non-physical. From there you’ll want to evaluate what the asset is worth. A $5,000 server’s worth is not based on its cost but a range of additional factors like what it would cost to fixit or replace it should it break or be hacked. You may want to start with an telecom audit, starting at $2,500, just to get a hold of what assets you actually have out in the field.
Risk Analysis – This is where you’ll assign both quantitative and qualitative values to risk, analyze the probability of said risk, and strategies to reduce that risk. For example, if your data center is where all your data storage and processing takes place, you’ll want to mitigate that risk by taking a hybrid approach incorporating both AWS and Azure to offload some of that compute and mitigate your risk of failure. Simultaneously, you’ll want to look at exactly what you have in the cloud and what impact you’ll have if one of your cloud providers fails. Click here for more on Cloud Data Services.
Risk Likelihood & Impact – This is the part of your risk assessment where you’ll rate the probability and its impact. Your Annual Loss Expectancy is obtained by multiplying your Single Loss Expectancy (what it will cost) by your Annual Rate of Occurrence (how often it will happen). This is where subjective opinions may clash but your organization should really rely on IT experts to make these decisions and assign these values. One of the most common mistakes that we run across in businesses are in-house data centers. Adding colocation may seem expensive until a storm floods your data center.
Cost of Solutions – Now is your chance to justify your budget with finance. If the cost of the solution far outweighs the likelihood of an event, then there’s no justification. There’s no reason to build Fort Knox for a couple of dollars and there is no reason for a Palo Alto device with all the bells and whistles for a small home office. A SonicWall will probably do just fine. Along that same line of thought, you can’t have an outdated firewall protecting sensitive health or financial information.