In the previous articles we discussed the human element of security, perimeter network security, and internal controls. To wrap up the Protect Your Business series, I want to discuss the importance of risk assessments to a business’s security strategy.
When comprehensive risk assessments are not performed, I often see well intended controls rolled out with critical flaws in the implementation. Examples include:
- We implemented encryption on all company computers, but lack controls around the encryption key and employee training on key management.
- We protect our wireless with WPA2/PSK, but employees write the password on sticky notes in their offices.
- We allow guests to access our wireless network, but it is password protected. However, once connected they are connected to our internal network.
Each one of the above examples represents a control that was implemented to address various security objectives; however, if a risk assessment had been performed as part of the implementation plan, risk areas should have been identified and addressed to strengthen the primary control instead of weakening its efficacy.
There are several IT governance and risk assessment frameworks (including COSO and COBIT) available and I recommend that you research how these could strengthen your design of information security controls. In this article, I will present a high level framework for designing controls.
Every control should have a specific purpose. When controls are superfluous, they can slow down business operations and result in increased expenses and lost efficiencies. The first objective in designing a control is to identify the asset that needs protection. It is important to be specific as different types of information often require varying levels of protection, and are governed under different regulations. Examples include, but are not limited to client information, employee records, or business sensitive data (i.e., financials and intellectual property).
Once the asset is identified, the environment surrounding it must be explored in order to evaluate inherent environment risks, possible attack vectors, and variables that could affect the performance of any controls that might be implemented. The opportunity for security breach is increased if a firewall is located in an unlocked data closet without any form of detective or preventative controls over the environment. The environment a control resides in and how it is implemented are crucial to the control’s effectiveness. Ensure that this aspect of the risk assessment is not overlooked.
The importance of the asset and the risk of it being compromised is what drives the need for effective controls. Identifying risks such as PR damage, opportunity loss, revenue loss, fines, and legal fees helps management quantify risk and assign appropriate resources to design controls commensurate with the risk to an asset. To quantify risk, consider the following formula:
Risk = Threat Frequency (TF) * Probability of Occurrence (PO) * Cost of Impact (CI)
Threat Frequency (TF) is the frequency of threats with a potentially adverse impact. Probability of Occurrence refers to the likelihood of occurrence for a particular threat being acted upon. Cost of Impact is the total costs related to a particular threat. As an example, let’s look at the risk related to a phishing email success. If the threat frequency is 7 per 100 employees that will click on a phishing email per day and inadvertently downloading a Trojan or virus. Our TF would be 7 % per day.
Since phishing emails are common attack, let’s assign PO a value of 90%. For cost of impact, let’s assume the only cost is the time/labor required to clean the employee’s computer. If it takes a skilled technician 15 minutes to clean the computer and the technician’s hourly cost is $95 per hour, the technician related cost is $23.75. However, we need to add the employee’s 15 minutes of lost productivity at their rate (let’s use $125 per hour), which equals $31.25. Together the cost of impact per occurrence is $55.00. So our risk in this example is:
Risk = 7% * 90% * $55 = $3.47
At 365 days, $1,265 is our yearly risk for phishing email threats. It is important to note that the costs I used in this example are low and the data is meant only to explain how the risk formula works.
When evaluating the asset and its operating environment, note any existing controls in place. Are they automated or manual? What threats do they address, if any? Are they effective or redundant? Do the existing controls sufficiently bring your risk exposure down to tolerable levels? These are all important questions to ask when evaluating whether more controls are necessary. If you are placing complete reliance on a single control for an asset, what happens if the control fails? What is the business impact of that control failure? Does it affect the integrity of any other controls? The process of evaluating these questions and documenting your responses are all part of the risk assessment process. It is common practice to design secondary (mitigating) controls to support primary controls. In the event of a control failure, the design should greatly reduce the risk of asset compromise.
Designing, implementing, and maintaining an effective control environment is not a static exercise. Once your controls are where you want them, the maintenance cycle begins. The controls and their operating environment need to be reviewed regularly and evaluated for revision (if necessary) and performance. In the ever changing technology industry we cannot afford to implement a control and simply leave it alone, expecting what might have been sufficient security today to protect us against next year’s threats and technology advances.
In closing, my hope is that the small business community will take a proactive stance towards information security. Well-designed controls can improve operating efficiency and take security from being a cost center to an indirect profit component. The ideas above are meant to start your thinking about what a risk assessment for your company would look like. If security becomes part of your culture so that control consideration becomes instinctual rather than a knee-jerk reaction, you are well on your way!