Managed Services
Compliance Services
See SCOUT Run
< back to Knowledge Center


Risk Assessments: Critical in Down Economy

By Tom Ezdon, Locknet Compliance Director, CISA

Risk assessments…just a lot of work that leads to more work, right? No so with Locknet™.

Done right, a risk assessment can be a painless process that ultimately saves your company time and money—whether or not you ever experience a disaster or theft.

A risk assessment is an internal evaluation to determine the security of your data. It identifies vulnerabilities to both internal and external theft, natural disasters, and equipment failure.

While some business, notably health and financial institutions, are legally obligated to secure their data, the risk assessment process is valuable to any business, particularly those that store customer information.

Consider the potential damages from an information theft. As we say here at Locknet, “It’s all fun and games until your company makes the news.” Could your business afford remediation expenses? Could you weather the hit on your good name?

It Pays to Plan
For companies subject to regulatory audits, a risk assessment is necessary to demonstrate information security. According to the FFIEC, IT audit planning must be based on results from a risk assessment.

In other words, regulations require that first you a) examine your risks, before you b) make a plan to mitigate them.

It only sounds logical. But who among us hasn’t skipped those critical evaluation and planning steps on a project, thinking it somehow more efficient to just jump into the problem at hand.

Or, perhaps you think, “We barely have the time or the money we need to upgrade security as it is, why should I spend more studying the issue?”

The answer: A proper risk assessment will not only reduce your risk and see you through an audit, but it will save you time and money.

A Tale of Two Companies

Consider these hypothetical examples:

Company A uses a scattershot approach to risk mitigation, reacting to news reports and whatever concerns become top-of-mind in a given week. Without a plan, every new idea becomes priority, and IT staff are overworked with multiple, and sometimes conflicting, directives.

At the end of the year, Company A struggles to report resources allocated and progress made on overall security. Security continues to be a nagging concern, creating stress and confusion for leadership. The regulatory audit is a time-consuming process and results in several mandated improvements within a limited timeframe.

Company B goes through a risk assessment process and determines which areas of the company are most vulnerable. Management prioritizes mitigation activities based on cash available and return on investment. Staff focus their efforts on those activities.

At the end of the year, Company B has a baseline measurement and can demonstrate significant risk reduction. It has a record of mitigation activity as well as a plan for next year’s spending.

Company B isn’t required by law to go through an audit, but management enjoys a clear mind, knowing that information security is well in hand.

Three Steps

A risk assessment consists of three activities:
  1. Gathering information
  2. Analyzing data
  3. Prioritizing your response

The first step in any risk assessment is identifying your information assets, including computers, flash drives, paper, and more. The assessment evaluates where this information is stored, how it travels from one place to the next, and who has access.

Next, the assessment identifies data risks, e.g. fires, flood, internal theft, accidental loss. The assessment illustrates anything that would prevent you from accessing your data and controlling its use.

As the final step in the information gathering stage, an assessment identifies which controls are already in place to mitigate those risks.

All this data will naturally point to holes in your security. It will help you identify which assets are at highest risk and which remediation activities can provide the best return.

So finally, you’ll make and execute a risk mitigation plan. This might include more policies, better training, tightened access controls, or other security improvements.

The risk assessment helps to identify those activities that will provide the biggest bang for your buck. And, as the company grows or develops new services, the risk assessment provides a readily available and logical framework for extending security controls to new staff and processes.

Critical in Down Economy

Regulatory challenges aren’t declining, despite these tough economic times. Likewise, analysts suggest that data theft increases in a bad economy as outside hackers step up their efforts and employees download proprietary information in fear of losing their jobs.

It costs far more to deal with a crisis than prevent one. In this economy, we all need more cost-effective ways to keep data secure. Risk assessments provide clarity, direction, and efficiency to those efforts.

  • Locknet, Inc.
  • 3128 South Avenue
  • La Crosse, WI 54601
  • Toll Free: (800) 967-2645
  • Phone: (608) 785-7100
  • Fax: (608) 785-7180

© 2010 Locknet, Inc. All Rights Reserved.