Let’s imagine your business is located in a crime-stricken suburb. Given the realities of owning a business in this location, you’ll know that there’s a chance that someday someone might break into your offices. So what do you do? Well, if finding new office space isn’t an option - you make arrangements to manage the risks. Perhaps you install an alarm, put up an electric fence and hire a security guard.
The evolution of organised crime into the digital world has rapidly progressed into the mainstream. With cybercrime losses costing organisations billions of rands each year. The reality is that any and all businesses face risks. The trick is to know what they are so that you can guard yourself against them. The risks associated with cybercrime should now be added to one’s risk management methodology.
Typically, organisations would have some sort of comprehensive enterprise risk management framework. However, for immediate risk assessment, we have compiled a five-step plan that will help your organisation lay the foundation for a successful security strategy.
Collect and assess information
The first step is to take stock of your business’ resources understanding what hardware, software and data assets you have. Once you know what you have, you need to discern which of these things are business critical. To do so, you can think about what your business’ key objectives are and what assets are essential to meeting those goals that are aligned with your business strategy. This will probably be the longest step in the process but being as comprehensive as possible lays the foundation for deriving real value from a security risk assessment.
What are your greatest threats and vulnerabilities?
So now that you know what you have and what you need to secure, it’s important to understand what may be considered a threat to your organisation. Remember that business we mentioned above? By virtue of their location in a crime-ridden area, the business’ geographical location would be considered a threat. You should also assess any vulnerabilities you may have. Once this step of the security risk assessment is completed, you should have a detailed list of your potential threats and how your vulnerabilities could expose you to greater risks.
Estimate the impact
This step in the process requires that you forecast what could happen to your business if each of the threats became realities. And classify the impact – either low, medium or high. What adverse impact would a robbery, data breach or system downtime have on your business and your brand? Security-related incidents are usually classified in terms of how the event affected your integrity, availability and confidentiality. There are qualitative and quantitative approaches and methods to assist you with this.
Review and plan the controls
Now that you’ve determined how bad things could get, it’s time to plan how to prevent things from ever getting that bad. What strategies and controls could you implement to mitigate or eliminate the identified risks? You’ll never be able to completely obliterate all risks but the aim is to reduce risks to a manageable level. Security policies and controls outline the specific responsibilities of different groups of people – from the procurement and setting up of new infrastructure to the implementation of new processes.
Tools and techniques to aid security
So you know what could happen if things go wrong and how you want to prevent that from happening, it’s time to decide what tools and techniques you’ll be using to mitigate threats. This part of the security risk assessment is about getting down to the nitty-gritty of IT security. How will you implement password systems? What tools will be used to automate data backups? And what techniques will you employ to manage user accounts? This is when you need to find the right solutions and procedures to match your company’s unique requirements.
Lastly, ensure Continuous monitoring (controls, threat assessment and risk analysis) and repeat this cycle periodically as threats are evolving rapidly.
If you’re still unsure why you need to be worrying about security in the first place, it’s probably a good idea to do some homework. Luckily we have an eBook that’ll help you, download our IT Security Trend Report.