Network risks come in all shapes and sizes. Power outages can cripple entire networks, hackers can infiltrate servers, malicious insiders can steal sensitive data on USB drives, and these are just a few of the real risks. With so many potential risks, it is difficult to determine which ones a company can face, which they cannot, and which can be managed if reduced to an acceptable level of risk.
It’s easy enough to pay for a backup generator to reduce the risk of a power outage, but what about implementing it to reduce the risk of hackers breaking into your network? This risk can never be reduced to zero, so it is important to determine how much to spend to reduce it to an acceptable level of risk, much less how to decide what is actually an acceptable level of risk. This tip explains how you can do this by conducting an enterprise security risk analysis.
Determination of the level of risk that is acceptable in the company. The acceptable level of risk should be determined by management and based on the company’s legal and regulatory compliance responsibilities, its threat profile and its business drivers. The impact of the risk on the business must also be considered, such as: B. Lost revenue, unexpected costs or the inability to continue production that would occur if the risk did occur. Information security professionals must act as intermediaries between threats and management, explaining how highlighting security threats can impact business objectives so they can strike the right balance between security and acceptable risk.
For example, instant messaging (IM) can provide a huge productivity boost for certain businesses, but it opens the door to viruses and malware. Qualitative and quantitative analysis can determine IM’s business value versus the cost of virus infection and the cost of corporate IM servers to reduce virus risk.
But what if the number of IM threats increases dramatically? Companies using IM must then assess whether their continued use of IM is within an acceptable level of risk. Otherwise, they will have to decide whether to ban it, add additional security controls, or simply increase security awareness among their employees. Every organization has its own risk measurement formula and methodology, but the decision-making process to assess a particular risk should start with a security risk analysis.
The risk landscape is constantly changing and so is the business. For example, a company that decides to implement an online payment system is likely to increase the risk of network attacks, so it is necessary to have stronger perimeter defenses and security policies that protect payment systems from insider threats to reduce the risk to an acceptable level. It will also face the additional risk of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS), an example of why any risk analysis must consider legal obligations and regulatory requirements, as well as incentives and business objectives.