Let’s talk about risk

Posted by Bobby Kuzma, CISSP on Nov.03, 2014

No. I don’t mean the board game that I’m not permitted to play around people I like.

Yes, I mean the potential of losing something of value. It seems that almost nobody in the SMB space really gets risk, and how to analyze and mitigate it. I used the M-word. I mean it, too. You cannot eliminate risk. You make it less likely or less impactful, hence the use of mitigate.

If you are an IT professional, you practice risk management on a daily basis, even though you don’t know it.

Let’s take a really basic example: installing antivirus on workstation computers.

Why do we do that? Usually, we do it to help prevent malicious software from infecting a computer.

Risk: Malicious software can be installed on a workstation, causing various problems.

Now that we’ve defined the risk, what kind of things can we do to reduce the risk, or make it less impactful? The normal Best Practice, for better or worse, is to have anti-virus or anti-malware software installed on your machine. Let’s think about some of the other things that you can do to reduce the chances of getting a virus…

Running as a privileged user allows software running nearly complete access to a computer, so running as a regular, unprivileged user should reduce the odds of a virus being able to take hold.

Viruses usually will get onto systems via vulnerabilities in the operating system, web browsers, or associated software like Java, Flash, and Acrobat Reader. Updating these, and keeping them up to date will reduce the likelihood of a virus getting onto the computer.

Zooming out from the machine, we can install filtering on website access, and email to further reduce the risk.

So far, all the things we’ve outlined are what are called technical controls. There are also administrative controls, like providing training to users on how to avoid downloading and running malware.

Why am I going to all the trouble of laying this out step by step? For starters, risk assessments are the basis of a good information security and information assurance program. For many compliance scenarios, like HIPAA and HITECH, you MUST perform have frequently updated risk assessments.

Identifying risks is not a science. It’s an art form that requires practice to master. If you take the time to master it, you’ll be opening up a whole new world of revenue and professional services opportunities.