Part of efficiently running an organization is understanding and protecting vital information, e.g. the ‘crown jewels.’ The crown jewels of an organization may include concrete information such as customer lists, billings, bank account information, process, trade secrets … or it might relate to intangible concepts such as reputation and business relationships.
As royalty protects their crown jewels, so too must businesses. In 2017 alone, we have seen many, many data breaches that impacted businesses worldwide.
So, how do we protect our assets?
Two words: Risk Management.
If we use the example of the Target Data Breach in 2013, where customer credit card information was stolen at the point of sale, we can see that the company learned an $18.5 million-dollar lesson in the importance of data security.
Now, you might say – well that’s data security and this is risk management. However, by properly evaluating risk, a company can take steps to protect valuable information and have a response plan in case of disaster. Just as businesses have procedures for fires and natural disasters, so too should they prep for informational catastrophes.
Mitigating risk starts with identifying your ‘crown jewels’ – and what could happen to them. This analysis needs to include both the measure of the likelihood of a compromising event occurring, and the depth of the impact should it happen.
If you multiply likelihood by impact, you get some idea of risk. Then once you have all the risks identified, you can assess each of them and decide how they should be managed.
Different methods of Risk Management can be easily kept in mind if you remember the 4 T’s: Treat, Terminate, Transfer, and Tolerate!
Treating risk encompasses adapting your process to reduce either the impact or likelihood of a risky event (or both). This is called a “control”. For a retail example, let’s say that there is a risk your customers may have their bank information compromised by a skimmer secretly placed on the point of sale terminal. Your company can reduce this risk by implementing the option to use only the chip. Additionally, you might institute a process where devices are physically checked for skimmers at the start and end of a shift. While the risk hasn’t completely gone away, as something still may slip past, it’s far less likely with the added security controls.
To terminate the risk, your company would have to significantly adjust something in its process to completely eliminate the possibility of something important being compromised.
Transferring risk essentially means making the risk somebody else’s problem. A common approach to this is where you transfer the risk of damage to your home or car by paying for insurance.
Finally, another option is to simply tolerate the risk. If you decide that you have done all that you can to protect your crown jewels and minimize the risk to them, you can simply decide to accept the risk and its inherent gamble. This, however, is always the last resort and should only be done with a true understanding of the full situation.
That said, your company does not have to invent their own process for risk management. There are several formal frameworks in common use that can assist in creating a plan for this type of issue:
- NIST 800-30 Rev. 1. (United States’ Government Guide for Conducting Risk Assessments
- NIST 800-39 (US GOV Guide for InfoSec)
- OCTAVE – Operationally Critical Threat Asset and Vulnerability Evaluations
Remember that your business is only as secure as the steps you take to protect it!
This article was written by Kristina Weber and Dave Ehman of Centry Global.