Why Risk Management Model Failed Us

failed-risk_management_model

 

Why has Risk Management  failed us?

Every place you see “Accept risks” replace with Hacked computers.  JP Morgan proved this concept even with a seeming unlimited security and IT budget, some mistakes creep into the organization.

76 million accounts affected

Every box with monitor and manage risks replace with Computer hacked from the internal network.

 

Here is the relevant sentence from the Wall Street Journal Article:

{Hackers appear to have originally breached J.P. Morgan’s network via an employee’s personal computer, a person close to the investigation has said. From there, the intruders were able to move further into the bank’s systems. Employees often use software to tap into corporate networks from home through what are known as virtual private networks.}

 

I wonder if your “extensive management crucial” box can defend from an infected or hacked computer in the internal network?

We must ASSUME the hacker is in the network already.

 

In theory we protect the highest risk and highest impact computers but they are not necessarily being protected from the inside and from all threats.

 

Why else have there been so many hacked networks? because not all the computers are being protected as they should, and inevitably somewhere someone makes a mistake and then the hacker is in.

Once the hacker is in your network it has been a fact of life that it takes 220 days to find the breach. In 7 months a hacker can crack the rest of the machines.

We must move to a different risk management Model:

systemsengineeringprocess

 

 

The one where we exchange the “Model the system” with  All the computers one at a time no matter what.

Riskmanagmentsystemsprocess

It is really much simpler than the complex risk management process, and  it is time for us to institute a simpler process, which invites less errors and easier to manage all around.

 

We can also insert things like Test the machine with Nessus or Qualys vulnerability scan every time a change is made in the “re-evaluate” box.

 

 Contact Us to discuss how we can help.