360 Degree Cyber Security, LLC

Have you addressed Information Risk?

Have you addressed Information Risk?

No question about it.  There are a lot of risks in running a business.  Cash flow, employees, suppliers, insurance, compliance, fire, flood, payroll, maintaining clients, gaining clients, and on and on and on.  But what about Information Risk?  I find that most businesses lump Information Risk into, “if it works why bother” or “I have IT handle it.”  However few realize the importance of addressing information risk, and that by addressing it, you maybe helping address other areas of risk and potentially reducing the risk.

There are seven common areas associated with information risk that when evaluated will help provide you focus when addressing risk management.  

Physical Damage – The container that contains your vital information is damaged.  The container could be your server, desktop computer, filing cabinet, desk drawer, or the box of receipts in the closet.

Humans – Humans are notorious for making mistakes, some make more mistakes than others.  🙂  Joking aside, humans (aka employees or the boss) account for a good portion of data loss.  The loss could be unintentional or as we have seen in the news very intentional.

Equipment Malfunction – Ever have that cringing feeling as you hear your computer make some very weird noises and beeps?  Especially after you have been working on something major?  What do you do?  How do you recover that data?

Internal or External Attacks – We have seen the news about Target, Home Depot, Sony, Anthem, etc.  They all represent external attacks.  What about that disgruntled employee that can hack your server’s admin account?

Misuse of Data – Now that the employee has hacked your server or maybe it is someone that already has access to the data, they run down the street to your competitor after copying any proprietary data that belongs to your business after hacking you from inside.  A good example of theft and how the data is being misused.

Loss of Data – This is where the crypto-locker ransom-malware comes into play.  An employee unintentionally adds malware that encrypts the data preventing you from getting to it.  Unless of course, you pay a ransom.

Application Error – This one almost got me a few years back.  I had a tax-preparer  do what they do.  When they were done, they said I owed the state nearly $5000.  There is no way that is correct I told them.  They said that is how their system calculated it.  Ok. Fine.  I didn’t pay it. I sat down and reviewed the forms.  It appears the application forgot to check mark a certain box and as a result I got $3000 back!

With the identified categories, we need to identify, bin, and evaluate the risks.  Once complete, you can address the risks and apply controls to reduce, eliminate, transfer, or mitigate them by applying various controls.  Once the risks have been identified, it may help you in addressing some of the risks of running a business.  If not take a bit of the stress off.

We, ItsEmc², an help you identify, bin and evaluate your information risk.  Contact us at info@itsemc2.com

About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Leave a Reply