July 26, 2017
When you think about the range of toxic events that can poison an IT system, the sheer range of possibilities is intimidating. A crippling breach, human error, a data center fire, a ransomware attack: IT risk seems like a vast expanse where anything can happen.
But much like insuring a car or home, your security program should reflect the actual risks at hand. That includes your backup and disaster recovery program, which should be designed to protect your most valuable assets. But if you don’t know what assets are fueling your success or what events are most likely to ruin or steal them, you won’t protect them adequately. We guarantee it.
A good risk assessment is the foundation of safeguarding your digital health. By doing the groundwork to assess your system weaknesses, anticipate risks and design strategies that help you recovery quickly and powerfully from disaster, you can create a safer infrastructure - one that's more reliable for users and more cost-effective for your team.
Risk assessments aren't just recommended, by the way - they're often required, as in HIPAA’s Security Rule. They can also justify security expenditures. Dealing with an outdated BDR system or inadequate security controls can be an obvious risk to the team that manages it, but making the business case to C-suite leaders for new tools usually requires proof in black and white numbers. A risk analysis doesn't just help you identify your top vulnerabilities - it makes the case for you in quantitative and qualitative terms.
How to Rank Your Risk
IT risk is measured by likelihood and impact factors. Listing the risk events potentially lying in wait for your organization is a good start, but you must also assess the probability of them happening, calculate the havoc they could wreak on your organization and then begin assigning numeric ratings to those conclusions. The final step: deciding which new controls you’ll need to implement to manage or mitigate those risks.
To get an accurate idea of which risks are higher than others for your assets, you’ll use a scale for each factor associated with each risk
Step 1: First you’ll want to identify your risk. What are you protecting? What kind of data are you receiving and transmitting? Where is your most valuable data stored? Which systems and applications are mission critical – and how are they vulnerable? Don’t forget to examine your security practices as well as any technical vulnerabilities that could theoretically result in a breach or violation.
Step 2: Next you’ll list the threats you’re facing and deciding how likely it is they will occur. Consider:
Step 3: Assess the impact any of these occurrences and weaknesses laws could potentially have. You’ll want to think in terms of:
Step 4: Now that you have a good idea of the risks you’re facing and how serious they are in each area, it’s time to assign numeric risk levels. By developing a matrix that compares impact (from negligible to critical to catastrophic) and likelihood (from unlikely to plausible to certain) you’ll rank your risk – and can develop corrective actions to mitigate each risk level. A careful risk assessment can illuminate weaknesses and institute best practices for stronger security. By thoroughly evaluating your risk, you can invest in a safer and more resilient future – and when an inevitable disaster or error happens, you’ll be glad you prepared.