»  Search

Just getting out of bed every day is fraught with risk. What if you slip in the shower? Burn your mouth on hot coffee? Get in a car accident commuting to work? If people actually considered all the risks of a typical day, few of us would ever get out of bed. So, as a rule, we tend to ignore them and get on with life.

That’s one reason it can be difficult for businesses to properly evaluate the risks they face every day: it’s just human nature.

“Most companies don’t do a good job of identifying IT risks. Instead, they tend to justify the security features already in place,” says Peter G. Neumann, principal scientist at not-for-profit scientific research institute SRI International’s computer science laboratory and author of Computer-Related Risks (Addison-Wesley, 1995), a seminal work on the subject.

To carry out an effective risk assessment, check your assumptions at the door and take a few tips from the experts.

1. Create a sense of urgency: IT security risks are real and exist in your organisation right now, and their effects are even more real. Loss of business or productivity due to system downtime, liability for security breaches that may expose customer or business partner data, or fines for regulatory violations can cost you dearly. Then there’s the long-term impact on brand, market share and exposure to potential lawsuits.
2. Start by clearly defining and articulating your security goals: Many risk assessments are doomed from the beginning because security requirements and goals are not identified at the outset. Before performing a risk assessment, it’s important to take the time necessary to specify your security requirements. These should include not only all your security concerns – such as physical facilities, account and password management, virus protection, data backup and recovery, and the like – but also issues like system availability, system performance and regulatory compliance.
3. Anticipate all risks: A thorough risk assessment should consider all possibilities, even the crazy ones. Aside from the common threats – viruses, hardware failure, power outages – consider the obscure ones, too. Could a squirrel chew through overhead cables? What about a gas leak in the server room? You could get very creative coming up with all the possible ways your IT systems can fail. The best approach is to find a systematic way of covering the entire breadth of your IT program, including such factors as hardware, software, Web applications, operating systems and environmental problems, for a start.
4. Take a long-term view: The IT environment is continually changing, so assessments should be performed regularly to stay on top of new threats. And don’t forget the development level. The benefits of developing secure applications and systems from the code level – rather than trying to patch security flaws later – far outweighs any short-term benefits gained by rushing a system into production.
5. Consider the human element: Assume that human error will occur and incorporate processes to compensate. Also, make sure all your personnel are aware of IT risk as well as their responsibility in implementing security measures. Assign accountability. Implement security training. Make risk management a fundamental organisational goal that is shared by employees and supported by management.

There is no one-size-fits-all risk assessment, but there are good resources to help you structure your program. Here are few to get you started: