It’s completely acceptable and a lot of fun each year to take some risks and place some bets when the Kentucky Derby is run. The riskiness of the horse you choose is usually based on a personal hunch, minimal research or discussions with a spouse, family or friends. The amount of loss is known up front and may or may not have anything to do with the riskiness of the horse selected.
If only all risk assessment was so easy. When you look at real life risk assessment as it relates to your company’s information assets, it’s a very complicated issue. Here are some basic points that should be considered when trying to protect (aka mitigate risk to) your information assets like documents and data. Avoiding a data breach is a bet that you really want to win.
Start with the basic process of understanding what data you have and what it’s value is to the organization. The social security numbers of all of your employees or customers is high value data. The parts numbers of all the products you carry is not very high in value, but the design drawings or intellectual property behind those parts might be. Segregate your information into buckets of high, medium and low value.
Next look at the form of that data and where that data is stored. Start with paper documents. Relatively secure, especially if in a protected environment like locked file cabinets and with fire suppression protection. Mainly secure because it’s too much work for data thieves to comb through documents. They would rather have a nice spreadsheet to steal. Most data today is digital so find out if it is inside or outside your firewall? It can be debated which is more secure, but start with understanding where the data is located.
Another key to risk analysis is understanding what the risks are. Is the only risk theft from a dark web participant? Could there be risk from internal theft? How about the risk that information is accidently lost or shared or destroyed? Is there a risk that some procedure was put into place to process information more efficiently, but the procedure actually increased the risk of data loss?
Design processes to be efficient, but always contemplate the risk impact. Create procedures to mitigate risks, then follow up on those procedures to make sure they are being adhered to. For instance, all databases containing social security numbers must have the data fields encrypted. That is a good requirement to mitigate risk. Now have a standard procedure to have someone test that on any new database implemented. That is proper risk mitigation strategy.
Once you understand the data that you have and you assign value to that information, you can start to understand the risks associated with it. Then design processes and procedures to mitigate those risks. It is not as fun as placing a bet and winning at your favorite Derby party, but lowering your data breach risk is a huge win.
Millennia Group provides workflow and document management solutions in a secure SaaS model. For more information - www.mgdocs.com, firstname.lastname@example.org or (630) 279-0577.