Risk and micro, small business

-

Risk; why is it so difficult?







Information security risk management, or if you wish cyber security risk management; either way it appears to cause a bit of a problem.

Over many years now I have seen and audited different concoctions, the majority of which fail completely to be effective in managing the risk. 

That said, I have also seen some scarily good processes, many of which are application driven rather than spreadsheet driven. This is an out and out plug, but the best and most effective examples have usually be driven by Acuity Risk Management's Stream application

However, for the micro or small business the best approach is to keep things simple, for the moment at least.
  • Risk description - there are excellent definitions for risk published within various ISO documents. However it all boils down to the following:
    • Source (what is the source of the thing that could happen - internal or external parties)
    • Event (what is going to occur)
    • Cause (why could it happen), and
    • Consequence (what is the likely negative outcome to the business objectives).
  • Example - a member of staff (source) accidently clicks on a link within an email that results in data being encrypted (event) due to the lack of training/awareness/admin/technical measures being in place (cause), resulting in a loss of availability of data, potential loss of reputation, regulatory fine and so on (consequence). 
  • Example - the MD decides to negotiate with a script kiddie (criminal) to reduce the ransom following a successful ransomware attack, resulting in the business now being tagged as an easy mark that could result in even further damage to the reputation of the business. 
    • You decide the source, the event, the cause, and the consequence.
In both  examples above (simple but potentially devastating nonetheless), what could/should have been put in place to reduce the likelihood of the consequences being realised? Whilst contemplating that question the next set of questions will be; now that something negative has happened, what measures are in place to recover and get back to business as usual; and what lessons has the business learned from the experience?

In simple risk based terms then:
  • Walk through some scenarios to describe risk, then
  • Identify ways (measures) in which as a business the event, the cause, and the consequences can be reduced to a minimum (acceptable to your business and its context). These measures, by the way, will be administrative, physical and technical in nature,
  • Where practicable put the measures in place (and review them every now and again to ensure they remain effective).
  • Make sure that everything is documented; fire up a word processor or similar. Keep a record of what it is the business has done, it may be very useful in the future. 
The obvious question is; is that it? No, not really is the answer to that. But, importantly especially for the micro or small business you have started on the journey. 

What you do not want to do is:
  • Put measures in place (especially high cost technical measures; the ubiquitous magic box) until you can describe the risk to the business, and able to justify the spend. 
Understanding and managing information and cyber security risk can be administratively technical and quite often demanding. But for the micro and small business it is probably best to keep things simple.

Will the above simple process make you UK-GDPR (DPA2018) or EU-GDPR (it had to be said) compliant. No!  It will certainly help, yes, but fully compliant. No!  If the worst were to happen and despite your best efforts the business suffered a personal data breach, the documented actions that you have put in place, might help if the regulator (ICO) comes a-knocking.

If you need help or simply some guidance let me know

KanSecurity (NL)





Popular posts from this blog

Black Swans and other things

-
Image
Back swans and other things. For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security. Two [of many] questions [the context throughout this blog are businesses, organisations, and information and cyber security] . Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question. Why, given the current situation of COVID-19, were many businesses unprepared? The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm. The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced
Read more

Personal data or PII

-
Image
PII or not to PII, that is the question PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data. What is personal data vs PII? Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)). PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Offic
Read more