Understanding your organisation’s exposure to risk is fundamental to business continuity and information security best practice. By identifying all risks, businesses are able to implement proactive defence and preparing contingency plans in the event that those defences are breached.
When applied to information security, taking a risk-based approach helps business managers to prioritise security investment; monitor the changing threat landscape; allocate responsibilities and drive accountability.
Rather than taking a technical approach, where a weakness is identified according to text book theory, a risk-based approach starts with a threat and risk assessment and links the security programme tightly to business objectives, business processes and the value of associated information and data.
The risk assessment enables the creation of a risk register, which lists all of the identified threats to the business, along with an assessment of the likelihood of their occurrence and their potential impact. The risk register also contains a list of counter measures for each risk and assigns responsibility for risk management to members of the management team.
The first step to developing an IT risk register is to undertake an audit of existing information assets that the organisation is responsible for and then to prioritise the protection of those assets that are identified as being business-critical.
Decisions regarding the IT and information security issues that require most attention very much depend on the organisation and its critical operations. Priorities can only be determined by undertaking a formal Threat and Risk Assessment.
This does not have to be as daunting as it sounds. It entails identifying the most important information assets and the criticality of those assets (the impact of them being unavailable), the potential threats to those assets and the likelihood of them being realised. Existing controls are then ‘subtracted’ to ultimately determine residual risk.
Risks might include something as simple as a power cut, or flooding of the server room, through to spear phishing attacks on key personnel; or being targeted with state-sponsored malware.
Taking a risk-based approach allows business managers to prioritise what is needed in terms of additional controls that can mitigate risk. These additional controls may be physical, technical, policy-based, or procedural.
While some priorities are likely to be the same, such as improving security education and awareness for employees, different organisations will have a completely different threat profile, risk appetite and existing controls. A priority for one organisation may not even be on the risk register for another.
As the threat landscape changes, the risk register will also need to be updated. For example, it is only in recent years and as a result of high profile security breaches, that organisations have begun to teach staff how to recognise and avoid social engineering and spear phishing attacks.
The weak point in any security ecosystem is most likely to be people. Evidence has shown that employees often fall for highly targeted attacks, particularly when these attacks include well thought out social engineering elements. Risk can be reduced through awareness and education, but a level of residual risk will always remain since cyber criminals are constantly evolving new ways to target organisations. State and criminal actors are acutely aware of this.
Although the two are often linked, it is important to note that compliance differs from security. Some standards, legislation and regulations include addressing risks to information assets, but many do not. For example, the payment card industry data security standard (PCI DSS) was developed after an in-depth assessment of all of the known and potential threats to the security of cardholder data.
Being compliant with a non-prescriptive standard, such as the Data Protection Act, which simply states that you must ensure ‘adequate security’ does not necessarily mean your organisation’s information assets are secure. Compliance is often more about ensuring that sound business processes have been implemented to a standard benchmark. As stated earlier, the risk register of each business will be different, therefore a compliance framework, designed to fit all organisations, will not necessarily address particular risks faced by your organisation.
The difference between compliance and security explains why leading organisations are taking a risk-based approach to security that scopes and addresses the individual threats associated with their business, their location and their customers and partners and puts plans in place for how to respond in the event that the worst happens. This approach is far more proactive, effective and less risky than simply putting ticks in compliance boxes and then forgetting all about it until the auditor comes knocking.