Risk and micro, small business

-

Risk; why is it so difficult?







Information security risk management, or if you wish cyber security risk management; either way it appears to cause a bit of a problem.

Over many years now I have seen and audited different concoctions, the majority of which fail completely to be effective in managing the risk. 

That said, I have also seen some scarily good processes, many of which are application driven rather than spreadsheet driven. This is an out and out plug, but the best and most effective examples have usually be driven by Acuity Risk Management's Stream application

However, for the micro or small business the best approach is to keep things simple, for the moment at least.
  • Risk description - there are excellent definitions for risk published within various ISO documents. However it all boils down to the following:
    • Source (what is the source of the thing that could happen - internal or external parties)
    • Event (what is going to occur)
    • Cause (why could it happen), and
    • Consequence (what is the likely negative outcome to the business objectives).
  • Example - a member of staff (source) accidently clicks on a link within an email that results in data being encrypted (event) due to the lack of training/awareness/admin/technical measures being in place (cause), resulting in a loss of availability of data, potential loss of reputation, regulatory fine and so on (consequence). 
  • Example - the MD decides to negotiate with a script kiddie (criminal) to reduce the ransom following a successful ransomware attack, resulting in the business now being tagged as an easy mark that could result in even further damage to the reputation of the business. 
    • You decide the source, the event, the cause, and the consequence.
In both  examples above (simple but potentially devastating nonetheless), what could/should have been put in place to reduce the likelihood of the consequences being realised? Whilst contemplating that question the next set of questions will be; now that something negative has happened, what measures are in place to recover and get back to business as usual; and what lessons has the business learned from the experience?

In simple risk based terms then:
  • Walk through some scenarios to describe risk, then
  • Identify ways (measures) in which as a business the event, the cause, and the consequences can be reduced to a minimum (acceptable to your business and its context). These measures, by the way, will be administrative, physical and technical in nature,
  • Where practicable put the measures in place (and review them every now and again to ensure they remain effective).
  • Make sure that everything is documented; fire up a word processor or similar. Keep a record of what it is the business has done, it may be very useful in the future. 
The obvious question is; is that it? No, not really is the answer to that. But, importantly especially for the micro or small business you have started on the journey. 

What you do not want to do is:
  • Put measures in place (especially high cost technical measures; the ubiquitous magic box) until you can describe the risk to the business, and able to justify the spend. 
Understanding and managing information and cyber security risk can be administratively technical and quite often demanding. But for the micro and small business it is probably best to keep things simple.

Will the above simple process make you UK-GDPR (DPA2018) or EU-GDPR (it had to be said) compliant. No!  It will certainly help, yes, but fully compliant. No!  If the worst were to happen and despite your best efforts the business suffered a personal data breach, the documented actions that you have put in place, might help if the regulator (ICO) comes a-knocking.

If you need help or simply some guidance let me know

KanSecurity (NL)





Popular posts from this blog

Risk and Certification

-
Image
Risk too...for Certification The previous discussion on information and cyber security risk was focused toward the micro and small business; the purpose being an attempt to get their ball-rolling on looking at risk. Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) needs the business to seriously focus on information and cyber security risk. In fact, clause 6 (Planning) and its sub-clauses are all focused on risk; this is the 'plan' element of the plan, do, check, act (PDCA) dance. On the other hand, clause 8 (Operation) and in particular 8.2 and 8.3 are all about carrying out risk assessment and treatment, the 'do' element of PDCA. The International Organisation for Standardisation (ISO) does not dictate to your business any particular process or methodology for risk. But, whatever process you adopt it must produce consistent, valid and comparable results (clause 6.1.2b).  If not, the syst
Read more

Sleepless nights, and business owners

-
Image
What keeps the business owner up at night? I am talking about owners of the micro, small, and in some cases medium sized business; those owners who on a daily basis put their heart and soul into building their business and doing all they can to keep it running successfully; making profit; keeping customers happy; employing people etc. The farthest thing from their minds will be information and cyber security.  It could even be suggested that the mere mention of the subject is likely to result in a furrowed brow followed by, this is what I pay the IT Service Provider to look after. It is not surprising then that the evangelist, having worked in the information and cyber security space for many years, comes across disinterest; disregard; and perhaps just a bit of indifference when the subject is raised. That is not meant to insult the business owners, it’s simply a fact of the evangelist's life. For 20 years and more so many thoughts around how to change mind-sets h
Read more