Risks are seen as being a negative, but risks are just circumstances that if they occurred, would have some impact on the business.
Naturally risks can potentially disrupt the business, but if identified, planned for, and effectively managed, risks can have a beneficial impact on the business.
The key word here is managed – assuming something will not happen, just because it hasn't happened before isn't very helpful.
In a recent Information Security Breaches Survey, 65% of respondents said they would suffer a significant business disruption if their highly confidential information was misused or lost. The probability of suffering a significant business disruption represents a risk, but this risk only becomes a liability if it isn't managed effectively.
Interestingly in the same survey, less than 25% of the same respondents prevented unencrypted confidential data leaving their business on USB sticks. This doesn't appear to be a very effective management of the risk – but when questioned, the response is, 'we have always done it this way, and nothing has happened yet' - surely an accident waiting to happen!
In this scenario, having polices and procedures in place to cover data handling and storage, must not be seen as a problem, but an opportunity to demonstrate to your clients, how seriously you take the protection of their data.
Risk management is a systematic analysis for identifying and evaluating potential risks. The results of this analysis is then used to develop strategies that will attempt to minimize their occurrence, and in the worst case manage and control any disruptive consequences. Risk management can be broken down into three activities, namely assessment, implementation and monitoring.
Risk assessment deals with prioritising the uncertainties of the businesses activities, the possibility of these uncertainties occurring, their impact on the businesses day-to-day activities, and the development of strategies to control and minimize. So lets take the above scenario:
- Business activity; what is the benefit to the business of allowing confidential data to carried on USB sticks?
- Assessing probability; how often do your employees lose company USB sticks?
- Assessing impact; what level of business disruption/loss of reputation would you suffer if the USB stick was lost?
The type of strategy to be implemented and monitored, will of course be driven by the severity of the impact on the business. If the expected severity level is high, then one strategy could be to prohibit the use of USB sticks to carry confidential data.
However, if the expected severity level was low/medium, then you may ask, that when confidential data is required to be carried on a USB stick, then all data is to be encrypted.
Contingency plans deal with the actual occurrence of an incident, that is, if the USB stick with encrypted data was lost, what will the business do to mitigate that loss. However, the author has noted an interesting trend of ignoring the risk management bit, and having identified the risk, concentrate on developing contingency plans.
This is a 'Fools Gold' strategy – in all cases, it is more cost effective to use a risk management process to minimize/control a risk, rather than implement a contingency plan after the incident; horse, bolted, stable door spring to mind.