Risk assessments lead to stronger security for your business

It's hard to miss the barrage of cybersecurity news articles related to the compromises of technology systems within the United States and across the globe.

In a response to the Colonial Pipeline incident in which a ransomware attack crippled a major gas pipeline, President Joe Biden signed an executive order aimed at improving the U.S. cybersecurity defenses and further elevated cybersecurity visibility.

One section of the executive order, labeled “Modernizing Federal Government Cybersecurity,” included the action to "centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.''

As the level of awareness of these cybersecurity threats rise, business leaders could be left wondering what shape their own security posture might be in and what modernization needs to occur within their IT infrastructure to avoid similar incidents.

The key starting point to any cybersecurity program is to have a risk management program aimed at understanding your business risks.

Without a risk management program in place, it becomes increasingly difficult to verify that your resources are used as efficiently as possible.

Understanding the likelihood and impacts of potential threats and vulnerabilities will help prioritize and focus your business on protecting what is important.

While maintaining a risk management program is a continued process, the first step in uncovering your risk baseline is by conducting a cybersecurity risk assessment.

A cybersecurity risk assessment starts with identifying a list of valuable assets. For organizations without an unlimited budget, the focus of the information gathered should be limited to the crown jewels of the business and what value that asset has to your operations.

The assets will include physical items such as locations and computer systems and also should include the data that resides on these systems and the people needed to manage them.

How much would it cost to rebuild any lost information? What if the competition had any of my data? What production impacts would occur if the systems or data was unavailable?

What type of reputational damage would I have in the market? What happens if this critical employee leaves the company?

When we start asking the tough questions we start to uncover the threats and vulnerabilities within our operations.

This information should be collected and packaged so that different risk treatment plans can be made for the identified risks. The typical treatment plans for risk include accept, avoid, transfer and mitigate.

Accepting risk as it is can be a perfectly viable business decision. Not everything you find on your risk assessment may have the funding or priority for completion.

Avoiding risk means that you will completely stop doing whatever it is that introduces that risk if it is not core to your business.

Transferring risk includes bringing in an external partner or vendor to take on all or part of the risk.

Mitigating risk involves adding controls or barriers to reduce or eliminate the amount of risk. Of course, controls have the ability to fail and often need oversight to ensure they are effective.

A security risk assessment should be an activity that continues on a regular basis. New threats can emerge and vulnerabilities are continuously being identified which can call for different treatment plans.

A risk assessment is a view of information from a point in time and the risk assessment is a great place to start to understand what gaps you may need to fill.

Paul Nus is director of technology at Folience, The Gazette’s parent company, and a board member of SecMidwest, a Cedar Rapids based not-for-profit focused on cybersecurity education. Go to SecMidwest.org for more information on attending its monthly meetings.