The news spreads that one of your neighbors recently had a break in. They were always diligent in locking their doors and taking precautionary steps to secure their home. The thought of your house being vulnerable fills your mind. You now wonder if locking your doors is enough to protect your home. That same feeling is relevant when organizations do not take IT security and associated risk seriously. When you don’t properly secure your IT infrastructure, risk is sure to follow.
As technology advances, and it always will, organizations need to be aware of the important steps in mitigating risks. These advances provide us faster communications, more accurate information, and the ability to seamlessly collaborate around the world. With the benefits that come with technology, additional risks follow. The information you use to do business, internally and externally, as well as up and down the organizational chart, needs to be handled in a way that protects you and your organization. How you store information, move it, and get rid of it play a critical role in the risk potential relating to internal information. Any information that, by itself or in combination with publicly available information, can be used to disable or misuse organization or individual assets, cause harm to the organization or its personnel and customers, or cause a safety or security issue must be protected throughout the lifecycle of that information. This information likely includes your organization’s: financial data, HR personnel information, customer data, or critical infrastructure.
In order to determine your risk, you need to understand the information you have and the associated controls that may be necessary to protect it. Reflecting on the following items will offer an initial assessment:
What are we trying to protect?
Protecting your data must begin with a full understanding of where your data exists. It can be placed into three main categories: data at rest including items such as network drives, mobile devices, thumb drives, and print outs; data in motion including emails, file transfers, conversations, and instant messages; and data that has been discarded on old computers, deleted mobile media, recycled files, and shredded files. Identifying and understanding the risks and controls needed for each category will enable a review of existing security measures, as well as an opportunity to plan for ongoing or increased risk mitigation.
Who do we need to protect it from?
Once you understand the information you have, you can identify the potential threats. In other words, who would want the information? Should we be most concerned with external threats, such as competitors, hackers, or terrorists? Are there internal risks caused by negligent or fraudulent employees? Once you determine who/what may want your information and for what potential reason, you will be able to identify if they know how to get it. This insight will allow you to design specific protections for each potential scenario.
What are we doing to protect it?
Just like locking your front door, you and your organization have already implemented some controls to protect your data. These controls include frequently changing passwords, tightening physical security, and properly disposing of old data. As technology advances, the threats to our information evolve. As a result, so must our understanding of those threats and our implemented controls.
Ongoing risk assessment and management processes will allow you to set a strong plan moving forward, with prioritized action items for reducing overall risk to your information. Ideally, your understanding or risk and the necessary security controls will be as flexible and nimble as the technology that improves the way we do business. And remember, that sinking feeling of vulnerability is a sign that we should always remember to lock the front door or maybe consider a better lock.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.