Creating a secure home for sensitive data is fast becoming a business requirement, but it is often new ground to cover for many companies. Businesses have varying measures in place ranging from nothing at all to predictive software and hardening solutions—but even the most hardened still analyze their weak spots and plan for the worst. This type of contingency planning is part of risk assessment, a vital aspect of protecting your data and that of your customers.
What is a risk assessment and why is it important?
To assess risk for your organization, first ask what type of risk you are assessing. Think about risk in terms of data in your organization. The following questions are a loose guideline for how to start assessing your risk factors:
- Have you fully eliminated sensitive data from your business? If not, are steps being taken to minimize the handling of sensitive data?
- Are you encrypting sensitive data now? Are you encrypting any data? Encrypting the wrong data can be a waste of resources.
- Are you encrypting it in the application layer? If data is encrypted before it is even used, thieves who find it cannot use it.
- Are you centralizing key management on premises or in dedicated, single-tenant hardware? Do other parties control your keys?
- Are you securing application access to key management? Are you securing key management with hardware – and with multiple key custodians?
- Are your users strongly authenticating? FIDO is the strongest authentication protocol to date and is relatively easy to deploy.
These questions should be asked on a regular basis, adding to them as needed when technology evolves. From a basis of need, it’s more practical to identify the most mission-critical data and protect it—ideally through tokenizing and “removing” it from applications and databases, then protecting it through the strongest measures for key management.
Getting By or Getting Buy-in
Next, determine who owns the top risks and is accountable for results, and to whom they report. The buck may stop before reaching the C-suite, as many CxOs are involved in customer relationships only from an oversight perspective. When it comes time to present the assessment results to the decision-makers, some approaches may be more effective:
- Don’t Take It for Granted: If you’re operating under the assumption that your life goes on normally because someone else has the security box checked, it’s not going to end well for you. When security isn’t led from the top, it is likely to not be taken as seriously by others.
- Use the Bottom Line: Compare the cost of a data breach in raw numbers and the cost of implementing security. Talk to product representatives about the real threats of stolen IP. Talk to CEOs about the reputational damage of security mishaps. If you’re in the healthcare sector, remind them that the quality of care decreases for years after a breach, and mortality rates rise.
- Stay Positive: Instead of always going with “fear tactics”—talk about the goodwill that can be generated by creating a public image of taking security seriously. We are starting to see the very beginning of a movement related to valuing privacy as a brand (see Apple)—and perhaps security is not far behind.
- Don’t Dive Deep: Techies often fall into the trap of outlining ten different ways we need to help you—now! Convincing the C-suite typically happens via relationships, clear and concise communication, and establishing trust—all of which don’t always need the deepest technical dive possible.
Check Your Blind Spots
Think critically about who bears risk in popularly accepted products. Examples include risk of cloud deployments, deploying an enterprise-wide Identity Provider (IdP) solution in the face of privacy legislation, etc.
- Protocols like FIDO were designed from the ground up to protect privacy; IdPs break that privacy promise and see all the sites to which a user authenticates—this leads to the whole mess we have today with data brokers, breaches of consolidated data stores, etc.
- Laws like Europe’s General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA) create new liabilities for businesses. Affected companies will not be given a choice of who bears the responsibility—and thus the liability—of stolen PII. Smart and able companies will indemnify themselves proactively, then be able to report with confidence that consumer data was never at risk.
- IdPs must improve their game while reducing their costs if they don't want to be squeezed by the biggest service providers on one side, and websites taking control of security and privacy on the other.
- RPs should take control of Identity and Access Management (IAM) functions. Many regulations include language that requires Key Custodians to prove that they have control of cryptographic keys that protect sensitive data—one cannot really outsource that function with a solid understanding of the inherent legal implications.
Can One Invest in More Technology to Improve Risk Assessments?
This is not a trick question; sometimes technology can completely solve for a risk. The most obvious risk that can be easily removed today is the weakness of password authentication; this is solved by using FIDO protocols, which will help your organization achieve the highest level of data protection.
Compliance is not a rubber stamp for “risk avoidance.” Multiple reports exist of companies that passed compliance but did not fully mitigate their risks. Risk management isn't about a checkbox on a compliance card—the attackers don't care about your compliance report. It is about working with someone who understands the nature of the beast and is unwilling to compromise for the sake of a few extra dollars. It is about caring enough for your security and your success, and being willing to go above and beyond to make that happen.