Do you want to use the Internet? Computers? Tablets? Cellphones?
There is no device created that is 100% secure with no risk.
So now what?
Risk management – is what we are supposed to do, where the risk of using something is lower than the value of using it. For example: using a computer for business reasons is worthwhile when the cost to keep it safe is relatively low (own a firewall, anti-virus software and more)
Let’s use a different example. what about if a business has highly confidential banking transactions to perform that are worth hundreds of thousands of dollars? Now the risk of using the computer and getting infected by malware or other viruses even if low likelihood the impact would be high. Since Likelihood*Impact = Risk
Low*High= higher risk than
Low * Low = Low or
Low* Med =Medium-Low
If Likelihood is High then a small impact is bad too.
High*Low = High risk
For High likelihood and medium or high impact it is lights out for many organizations.
High*High = Bad … very bad
This Risk matrix has to be set up to analyze the Risk management of your business.
Paul Holland also discusses this in Bsides London “Understanding your business risks are key”
Paul also discusses ‘Things to consider when making decisions on risk appetite’
- What kind of loss would you deem materially damaging (impact)?
- What can you live without and for how long(impact)?
- What information must not fall into the wrong hands(impact)?
- How do you protect your information?
So if you are a business owner or CEO, CFO, CIO then you have to answer the subjective risk questions honestly.
So if you are spending 10% on security and you have millions of dollars in risk impact, should you spend 11% on security? This is a difficult question to answer. Since we cannot be 100% secure. Where do we spend money to improve security? Because of the law of diminishing returns works on everything. Sometimes more money spent is not going to be a major change, just an incremental one.
The above image is useful in letting us know when we should re-evaluate our risk profile. External changes or internal changes should cause you to re-do your matrix.
Internal:
- Changing markets
- New business areas
- New Leadership
- Change in risk appetite
- Cloud adoption (major technical changes)
- Supply chain risks
External
- New vulnerabilities
- Political changes (local, state, national, international)
- Regulatory changes
- New technology (quantum breaks encryption — AI makes attacks more sophisticated)
We all know attacks are more sophisticated, since the criminals want to attack more people with new methods to make more money every year.
Talking to an expert to navigate this huge moving target is a good idea:
Contact Us to discuss