How exposed are you? Why you need a Security Risk Assessment

"By failing to prepare, you are preparing to fail." - Benjamin Franklin

"Risk comes from not knowing what you're doing." - Warren Buffett

Do you know how your organization protects confidential data? Do you know who has access to that data? Do you know where your data is kept? What controls are in place today to protect your data?

The key to protection from cyber crime is preparation. The right plan can help decrease your cybercrime risk and provide a softer landing after impact. A Security Risk Assessment (SRA) is intended to provide a deeper understanding of your risks related to information, systems, and networks that support your business. The primary outcome from the SRA is an inventory of your business information and the controls you have in place to protect that information. Knowing your current situation today with a clear understanding of your vulnerabilities is the key to preparing a plan. No business is perfect. Every organization will have opportunities for improvement.

The SRA looks at how you protect data confidentiality, integrity, and availability. What data needs controls? Examples include trade secrets, employee PII (Personally Identifiable Information), financial and client information. Some industries are cybercrime targets because the criminals want your client data.

What is the business impact of any unauthorized disclosure, change, or loss? Knowing this answer will help build a prioritized list for risk management consideration.

Do you have an Incident Response Plan? Do you have a named Security Officer - someone who will be your point person for any suspicious security events? What action is needed when a data breach occurs? Do clients need to be notified? When do you notify law enforcement? When do you contact your insurance provider?

Thinking about all this in advance will help define your plan and lead to a more graceful recovery when your business falls victim to cyber crime.

The most important deliverable from a well-executed SRA is:

1. An inventory of your business information

2. Knowledge about who has access to that information

3. The significance of any loss or breach of that information

4. The controls you have in place to protect that information

Having this clearly understood will help you make decisions about any security exposures that need attention. At the end of the day, it's all about managing risk.

Why do you need a Security Risk Assessment (SRA)?

• Clarity and understanding of your current risk

• Inventory of business information

• Satisfy current or future clients' requirements for SRA. For example, medical or financial clients may require security measures be in place with all their business partners.

• Satisfy your cyber insurance carrier's requirements when making a claim

• Identify any significant issues needing immediate attention with easy, low-cost solutions.

• Deb Reiter is CEO and chief technology advisor of CMIT Solutions of The Tri-Cities in Geneva. Contact her at (630) 444-7119 or dreiter@cmitsolutions.com