The Ins and Outs of Cybersecurity Risk
By Eric Buzz Hillestad
Hackers are taking over point-of-sale systems by compromising HVAC systems through social engineering emails. Fraudsters are compromising Electronic Health Record systems to use the collected information to commit medical identity theft and steal from CMS. Online banking account credentials are being harvested by attackers to commit ACH fraud. How do you keep your IT environment safe from these actions and how do you lower the probability of an attack being successful? Knowing what risks are in your IT environment and how you are mitigating them is a great place to start!
Risk assessment is the practice of finding the impacts and probabilities of possible threats or vulnerabilities in your IT environment and assigning controls to the risks to mitigate or lower it. History has shown that there is a place for risk assessment. The military uses risk assessment as part of their planning. Your insurer uses risk assessment to figure out what your premiums should be or if you’re even insurable. Casinos use risk assessment to calculate the chance of losing their money on a certain game. There are literally a million ways to perform a risk assessment. When looking for a tool to help you, you’ll want to make sure the approach is appropriate for the size and complexity of your organization. Several factors play into this decision and they are:
- Asset based vs Process Based Assessments: An asset based risk assessment is the approach of risk assessing each asset in your IT environment. This can be a good approach for small to medium sized businesses looking to get a very granular risk assessment. Process based risk assessments look at the processes involved in protecting information and risk rate them accordingly. Medium to very large sized companies performing these types of risk assessments and assessing each asset in an environment with tens of thousands of assets would not be a manageable endeavor. A good risk assessment approach should use a hybrid of the two in order to get a good picture of where the risks are in the IT environment and scale appropriately for the size and complexity of the organization.
- Threat Based vs Vulnerability Based Assessments: A threat based risk assessment considers all possible threats to the Confidentiality, Integrity, and Availability of a system or process. A vulnerability based risk assessment looks at the vulnerabilities currently on a system and rates them based on their likelihood of compromise. Both assessment styles are useful, and a good hybrid approach can give you access to both styles without over-complicating the process. The drawback to vulnerability based risk assessments is that it doesn’t allow you to risk assess something that isn’t connected to your network. In such a case, you wouldn’t be able to risk assess the new EHR you are planning to deploy until after you have already purchased it.
- Quantitative vs Qualitative Measurement: Quantitative method suggests that there are varying degrees in which risk can occur. Assessments that use the quantitative approach are very good at showing risk across many assets or processes. Medium to very large sized companies use quantitative method because it helps them separate the various high risk items from other high risk items. Qualitative method suggests that risk can be grouped into categories such as low, medium, and high. Small organizations use qualitative method because it simplifies the risk assessment process. Both methods are useful in various situations, but the downfall of qualitative method is that it does not work well when assessing more than a handful of items.
- Assessment, Analysis, and Management: The security industry and the government have done a terrible job of educating its customers on what the difference is between assessment, analysis, and management. Many security companies have more or less used them synonymously. They are not synonymous, however. Assessment is the process of finding what risks are in your environment. Analysis is the process of looking at those risks and deciding what controls apply to mitigate risk, and whether additional controls need to be deployed to mitigate additional risk. Management is the process of looking at the risk analysis and the risk portfolio as a whole and deciding where to put resources in order to lower overall risk. A good risk approach will contain elements of all three of these items.
While risk assessment, analysis, and management can be time consuming processes, they are required by HIPAA and almost every other regulatory standard. It is also a very good process to understand your IT and IS environment and find its weaknesses with concern to confidentiality, integrity, and availability. Lastly, it helps focus resources on areas that are at high risk for being compromised. It is through this process that your organization decides not to be the “low hanging fruit” for fraudsters and hackers to exploit.
Eric Buzz Hillestad is Partner at SHS, LLC and Principal Consultant.