Human beings like to create myths to explain things they do not understand, writes Matt Middleton-Leal, pictured, GM EMEA, at Netwrix Corporation, an IT risk assessment software company.
Before the Age of Enlightenment, for example, the Flat Earth theory, which imagined the world standing on the backs of four elephants, was a widely held belief. The reason so many people believed in it was because no one could contradict it from personal experience.
IT risk assessment – a fundamental prerequisite for compliance with upcoming EU General Data Protection Regulation (GDPR) – is equally subject to misconceptions. Too many organisations fall into the trap of believing one or more flawed assumptions, increasing the chances that security measures may be undermined. The top myths that stop organisations from getting their security strategy right – along with industry best practice recommendations – are as follows:
1.Risk assessment – once is enough
Wrong. The cyber threat landscape will always change faster than your IT infrastructure’s ability to keep pace. Risk assessment should occur at regular intervals to allow any security gaps to be identified and nullified before a breach can occur. If possible incorporate risk assessment into the daily routine.
2.Risk assessment is more trouble than it’s worth
Wrong. Risk assessment does not have to be complex or costly. Most of the time it is possible to assess risk using a simple matrix. Assigning a weight or value to each risk allows you to prioritize them according to their impact. Even classifying them as low, medium or high risk in an Excel spreadsheet can help you better understand what is important without the need to pay for extra software or consultants.
3.I already keep everything under control, so risk assessment not necessary
Wrong. In general, those who think they are secure tend to be most at risk. No matter how well you have secured your data, there may still be vulnerabilities you have not thought of. As in point one, your IT environment and threats are constantly changing so there’s no excuse for not performing risk assessments at regular intervals. Try to develop a healthy risk assessment routine that identifies new vulnerabilities and prioritizes them. This will help you to constantly adjust your security strategy as you go along.
4.We do not process large volumes of data and are of no interest to attackers
Wrong. Enterprises already have sophisticated security measures. By contrast small business, have fewer resources available which makes them likely to be vulnerable. Attackers know this. Any business, large or small, that handles financial or personal data is a potential target. From an cyber criminal’s perspective it makes no sense to go to a lot of effort to attack an enterprise, when it’s easier to go after a smaller company. There may be less data to steal but it still has value. In fact some small companies handle extremely valuable information. For example a small government contractor may have access to classified information on government projects. A small organisation like this is far more tempting than a large organisation that has vast amounts of everyday emails and personal photos.
5.There is no real value in risk assessment
Wrong. In fact, risk assessment is a very powerful tool, especially if you are seeking management support for your cyber security initiatives. The 2017 Netwrix IT Risks Report revealed that 32% IT pros blame senior management for insufficient support in allocating budgets to improve IT security or hire additional staff members. Risk assessment can help you highlight risky areas to C-level executives, talk about likelihood of data breaches and financial consequences. Be specific and talk their language, it will help you justify any budget increases.
6.Security is already covered by our insurance
Wrong. You cannot rely on insurance to cover data breach costs. If an investigation reveals that a data breach was avoidable, you still risk fines and other sanctions. Moreover, insurance will not help you keep your job. If you hold a senior management position the buck will stop with you. In the case of Equifax the CIO, CSO and even CEO all retired a few weeks after the breach was publicly announced.
7.Risk assessment is just another industry buzzword
Wrong. Risk assessment is an essential compliance procedure. It is central to many industry standards including PCI-DSS, Basel II, ISO 27001 and GDPR. In PCI-DSS, risk assessments help retailers identify and understand potential threats to their cardholder data environment. Under the Basel II banking regulations, a financial institution must first assess its own risks. This assessment must then be double checked by supervisors to determine whether the first assessment is reasonable. ISO 27001 regulations require firms to adopt a formal risk assessment methodology that involves senior management approval for baseline security criteria, risk scale, risk appetite and scenario-based risk assessment. And while GDPR does not specify how you should assess risks, it still requires controllers to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,” as well as “conduct data protection impact assessments for high-risk processing activities”.
In summary
Industry regulations are tightening requiring all companies to adopt stronger security and data protection policies. Risk assessment is a basic requirement of many industry standards. Debunking popular myths has always been the best way to achieve progress. The concept of the Flat Earth was eventually proven wrong by Magellan’s circumnavigation of the earth. Thanks to regulatory progress the old myths surrounding risk assessment deserve to be consigned to history in much the same way.
