No question about it. There are a lot of risks in running a business. Cash flow, employees, suppliers, insurance, compliance, fire, flood, payroll, maintaining clients, gaining clients, and on and on and on. But what about Information Risk? I find that most businesses lump Information Risk into, “if it works why bother” or “I have IT handle it.” However few realize the importance of addressing information risk, and that by addressing it, you maybe helping address other areas of risk and potentially reducing the risk.
There are seven common areas associated with information risk that when evaluated will help provide you focus when addressing risk management.
Physical Damage – The container that contains your vital information is damaged. The container could be your server, desktop computer, filing cabinet, desk drawer, or the box of receipts in the closet.
Humans – Humans are notorious for making mistakes, some make more mistakes than others. 🙂 Joking aside, humans (aka employees or the boss) account for a good portion of data loss. The loss could be unintentional or as we have seen in the news very intentional.
Equipment Malfunction – Ever have that cringing feeling as you hear your computer make some very weird noises and beeps? Especially after you have been working on something major? What do you do? How do you recover that data?
Internal or External Attacks – We have seen the news about Target, Home Depot, Sony, Anthem, etc. They all represent external attacks. What about that disgruntled employee that can hack your server’s admin account?
Misuse of Data – Now that the employee has hacked your server or maybe it is someone that already has access to the data, they run down the street to your competitor after copying any proprietary data that belongs to your business after hacking you from inside. A good example of theft and how the data is being misused.
Loss of Data – This is where the crypto-locker ransom-malware comes into play. An employee unintentionally adds malware that encrypts the data preventing you from getting to it. Unless of course, you pay a ransom.
Application Error – This one almost got me a few years back. I had a tax-preparer do what they do. When they were done, they said I owed the state nearly $5000. There is no way that is correct I told them. They said that is how their system calculated it. Ok. Fine. I didn’t pay it. I sat down and reviewed the forms. It appears the application forgot to check mark a certain box and as a result I got $3000 back!
With the identified categories, we need to identify, bin, and evaluate the risks. Once complete, you can address the risks and apply controls to reduce, eliminate, transfer, or mitigate them by applying various controls. Once the risks have been identified, it may help you in addressing some of the risks of running a business. If not take a bit of the stress off.
We, ItsEmc², an help you identify, bin and evaluate your information risk. Contact us at email@example.com