Why a risk assessment should be in your future

By Charles Cooper

Companies that put cyber risk assessments on the backburner will quickly find themselves enmeshed in controversy if their controls are found to be inadequate, or fail to satisfy regulatory requirements.

Recent legislation, such as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley, not only contain references as to how organizations should protect different kinds of data but also require regular security assessments. What’s more, organizations involved in mergers or acquisitions have extra incentive to stay on top of this. A recent New York Stock Exchange survey of its members found that the overwhelming majority of respondents agreed that the disclosure of a high-profile data breach would have “serious implications” on a pending transaction.

Regular cyber risk assessments are a critical part of an effective cyberdefense if for no other reason than the results provide clear answers about the risks associated with using particular information systems or types of data.

At the same time, though, it’s unrealistic to include everything in a risk assessment. Indeed, the US Commerce Department’s National Institute of Standards and Technology (NIST) allows that there are no specific requirements and no right way to conduct risk assessments.

So, what’s the right approach? Actually, there’s not a single answer since it will vary based on the company and its unique position in the market. Rather, the overarching goal should be to create a framework that includes the areas that process, store and transmit its most important information.

Managing the Process

Years ago, this task might have been farmed out to the IT department. But as threat levels rise, the danger of brand and reputational damage from a data breach has elevated the responsibility for cyber risk assessment up the organizational chart. The C-suite - including the board of directors - is now as responsible for managing this process as it is for the constellation of considerations affecting other areas.

The exercise should spotlight the various categories of risk that an organization faces. At the same time, it should inform the leadership about the actual location of the company’s assets as well as whether there’s appropriate security to protect its most valuable information.

And once complete, the drill should help management prioritize so it isn’t throwing money wildly at the problem any longer. Instead, managers can adopt more prudent, cost-effective spending and invest in defending the most important, higher-payoff items.

Organizations should also use the process as an opportunity to vet the security worthiness of their third party business partners. In a networked world, a partner company’s security vulnerabilities also become yours. As a precaution, it’s prudent to adopt strict role-based access so that third parties only access specified applications.

At the end of the day, this is about adding to an organization’s muscle memory. Companies that fail to conduct thorough security reviews can’t ever know for sure which data is most likely to be in the crosshairs. But adopting cyber risk assessments into their regular routine will allow organizations to understand what they face and better navigate a threat landscape that gets more dangerous all the time.

Just as important, it will give them a running start when trouble finally knocks on the door.

Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.

Be one of the first to receive the latest AT&T Cybersecurity Insights report, Mind the Gap: Cybersecurity’s Big Disconnect. You’ll learn more about minimizing gaps in your cybersecurity strategy and how to defend against the growing cyberthreats. Sign up today!