There is a lot of truth in the axiom: To manage risk, it first must be understood.

“Clear thinking about risks based on a thorough understanding of the environment and current knowledge of the threat landscape drives an intelligent, well-founded information security strategy,” writes D.J. Vogel, partner, Security and Compliance at Sikich, an accounting, advisory, technology and managed services firm. “An informed strategy helps fulfill both compliance objectives and broader security goals.”

IT risk assessments gain acceptance

Risk assessments have been used by company management to determine which is more detrimental: the cost of preventing a risk from occurring vs. the cost of recovering from a potential risk. As IT moves to mission-critical status and bad guys have their way with the digital assets of companies, adding IT to the list of areas needing regular risk assessments is gaining acceptance.

SEE: Data breaches may cost less than the security to prevent them

One reason for the rapid affirmation of IT risk assessments is the speed at which malicious activity happens. There is never enough time to consider all the ramifications during an attack. Vogel, for example, uses a data breach to point out risks that may be overlooked when scrambling to recover and getting back to normal operating conditions:

  1. What data is valuable to our consumers and/or members?
  2. What would happen if we were [i.e., the organization] in the news for a data breach, even if the data lost was meaningless?
  3. What legal liability do we have if something happened to the data?

“It is vital that a risk assessment includes all systems critical to operations or that contain sensitive information,” writes Vogel. “Additionally, a risk assessment should include an assessment of the operational processes and procedures used to maintain and operate the systems. These processes often affect more than one system and can introduce additional risk to your organization.”

The questions that need to be asked

The Online Trust Alliance (OTA), well aware of the importance of risk assessment, in the organization’s 2016 Data Protection and Breach Readiness Guide devotes an entire section to the topic. “Risk assessments are critical…,” mentions the guide. “Increasingly, organizations and their executives are being held accountable and facing lawsuits for the failure to uphold fiduciary duties.”

In coordination with the Department of Justice, the OTA authors have compiled a guide for company managers who are responsible for legal and compliance risks. “While organizations may also consider other key questions, these lists have been developed to help organizations complete a basic risk assessment of their infrastructure and privacy practices as they apply to their business sector(s) and operating geographies,” explains the guide.

The OTA guide authors agree with Vogel on the importance of risk assessments and the need for them to be conducted on a regular basis, adding, “A complete and objective review of these audits serves as the foundation for developing an effective data security and response strategy.”

The list of questions created by the OTA authors are detailed and broken into three categories: board officers and investors, operational risk assessment, and third-party risk assessment. Below are some of the questions directed at the organization’s management. Assessment Guides for operational and third-party risks can be found on this web page.

Questions for board officers and investors

  1. What makes our company or service an appealing target for hackers and cybercriminals?
  2. What is the worst-case scenario; what are our principal assets and “crown jewels” that could be compromised?
  3. What will be the impact if we are targeted and:
    – the breach is made public?
    – data is held for ransom?
    – our corporate or consumer data is destroyed?
  4. Is there a valid business reason for retaining existing information and the collection of new data?
  5. What are our data minimization and destruction policies and procedures?
  6. Is our cyberinsurance coverage adequate? Have we completed a coverage gap analysis, and do we fully understand the exclusions? Are we prepared for regulatory enforcement and lawsuits?
  7. How current, complete, and tested is our data breach incident plan?
  8. Are we using industry best practices, and do we adhere to a cybersecurity framework reflecting our current countries of operation and types of business operations?

Sikich’s Vogel offers some final advice, “By considering all avenues and weighing decisions based on analyzed risk, a risk assessment empowers organizations to make better-informed decisions.”