360 Degree Cyber Security, LLC

Risk – How do you know?

Risk – How do you know?

It is a simple question that is asked when someone needs proof that some piece of knowledge needs to be validated in some way and typically leads to follow-on questions.

So, when it comes to information risk let me ask you… “How do you know?”

How do you know what is the risk to your technology infrastructure or the information that you use? Have you identified the risk to your business? Identifying risk will help your organization (micro, small, medium, to mega sized) begin to prepare to address the risks that can present themselves to your business. In some industries, there are mandatory requirements to address risk via a risk assessment (HIPAA, PCI, etc).

The process of assessing risk is straightforward. To begin, identify what you have that could be at risk (databases, intellectual property, web site, servers, computers, users, network, etc.) Of those items, if something were to happen to them, what would be the impact? The loss of a laptop might not be considered, but what if that laptop had confidential or health care related information on it? Then the impact would be high.

In order for risk to be realized against those devices, there needs to be a vulnerability. A vulnerability is a weakness that would allow a threat to be successful in disrupting the organization. Vulnerabilities come in different forms. They could be a vulnerability in the computer’s operating system or software. They could be in a physical form, for example having a customer service window that would allow access to information or devices nearby.

Once you have identified what could be at risk and the associated vulnerabilities, think about what might disrupt your business operation or affect the business’ brand if those items have vulnerabilities that are subject to various types of threats. Identifying the threats can be the fun part. For example an attack by Godzilla or aliens from Mars. Yes those are unrealistic and the risk from those particular threats are extremely low if not zero. So they are discounted. However realistic threats to your business may come in the form of examples listed below. Don’t forget that the threat can be accidental or intentional, include both types of threat when identifying risk. There can be many more than that, it is up to you how far to go in identifying the threats.

  • Environmental
    • Fire
    • Flood
    • Tornado
  • External
    • Hackers
    • Vendors
    • Customers
    • Criminals
  • Internal
    • Employees
    • Equipment failure.

This is just the first part in dealing with risk. Identifying the what, how, and why of risk to your business critical information is followed by addressing the risk and then making a determination on those items that can’t be addressed.

About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Leave a Reply