IT Risk Assessment

The Issue
With most businesses viewing their Information Technology systems as crucial to their success, it seems incredible that some 52% of companies1 do not carry out any formal security risk assessment. It is questionable how any company can successfully guard against the risks to its systems and the company and customer data that it holds if it does not even have an awareness of the specific risks it faces. The potential dangers to any organisation will vary depending on the nature of its IT use, its particular clients and employees and the market in which it operates, but a failure to understand and plan for these dangers will inevitably leave the organisation exposed. This brief paper considers the main issues in this area, focusing on the relevant legal concerns and possible consequences, but it should be noted that this is not a comprehensive study of the topic and detailed legal advice should always be sought in specific situations.

IT Security Risk Assessment Processes
An IT security risk assessment can take many forms, from a very informal, "stop-gap", review to a detailed and considered assessment, possibly involving an independent third party assessor, across an organisation's entire IT system. What is most appropriate for a particular business will depend on the nature of the organisation and the specific threats that it faces, but the importance of conducting at least some form of assessment cannot be stressed too highly. Many organisations choose simply to have a dialogue between their senior management and internal security teams but some form of assessment is essential. With a finite amount of money available to any business for its Information Security solutions, a failure to conduct an appropriate security risk assessment is likely to mean that any response to the dangers posed is incomplete, ill-focused and ultimately at least a partial waste of money.

Legal Implications
The legal implications of a failure to conduct a security risk assessment can be varied; for example, an organisation in the financial services sector will obviously face very high levels of risk but significant damage (financial, organisational and damage to brand) can hit businesses across many sectors.

Tender requirements
Companies which tender for contract work may find that, when participating in the bidding process, they are required to disclose details of their policies and procedures, including whether a security risk analysis or assessment has been conducted. This is often particularly true in relation to public sector work and can be a powerful commercial driver for Information Security teams to use when raising this issue with senior management.

Employee misuse/monitoring
With employee access to corporate Internet and email systems being almost universal, the dependency of organisations on these systems as a business-critical application has increased massively. This leaves employers grappling with the consequences of growing employee Internet and email misuse, alongside emerging threats such as Instant Messaging and online social networks. Most employers focus their attention on external threats, such as spam and viruses, but they should not lose sight of the damage that may flow from the loss of confidential or sensitive corporate/client data by employees either wilfully or carelessly disclosing such information. While organisations may be reasonably aware of the importance of monitoring employee email use, the emerging threat of Instant Messaging, where there are few controls, presents a further challenge.

Business continuity
The phrase "disaster recovery" frequently seems unnecessarily dramatic, but there is no doubt that those organisations that were hit by the major UK floods of July 2007, causing severe disruption to business continuity, will take the issue seriously now if they did not do so before. Such events have highlighted the risks to companies and awareness of the need for secure back-up of data, frequently held in off-site storage, is now high.

Data Protection
Not only can such disruption cause severe commercial damage to businesses, but there can also be implications in respect of the Data Protection Act. Both employees and clients/customers of businesses have rights under the Data Protection Act in respect of their personal data held by businesses (which are described for these purposes as "data controllers"). Data Controllers are obliged by law to take appropriate technical and organisational measures to prevent the accidental loss or destruction of personal data. The law in this area is regulated by the Information Commissioner, who has publicised high-profile failures where organisations, such as financial institutions and NHS trusts, have been careless in the way they hold data; this might include, for example, the storage, archiving and destruction of data. The Information Commissioner can issue orders to organisations to force compliance with the Data Protection Act and a failure to adhere to an order issued by the Information Commissioner would leave the organisation open to criminal prosecution and ultimately fines for non-compliance.

Policies
It will be obvious that if an organisation has given little or no thought to the risks it faces, its strategy for dealing with those risks will be flawed. An obvious risk may be ignored and Acceptable Use Policies ("AUPs") and other procedures for dealing with the risks may not be properly aligned to the particular concerns the business should be facing. In consequence, if a business then calibrates its security solution to enforce the AUP as drafted, the organisation will be left exposed to risk both in terms of the written policy and the technical solution. This can mean that, when faced with a security breach, the business finds that it is unable to take effective action; the security solution has not prevented the breach and the AUP may not provide sufficient grounds for the employer to take steps against employees involved in the breach.

Keeping defences up to date
Complacency is perhaps the biggest danger when it comes to renewing security solutions. For example, is the organisation's anti-virus software sufficiently up to date to cope with the ever changing developments in the field of Malware? There may be significant delays between new patches becoming available and the organisation actually installing and updating the solution, which clearly leaves the business exposed for that interim period. Should an organisation in this position suffer, for example, a virus attack, the commercial and legal implications could be severe. Not only would the business suffer significant disruption, but it may also run the risk of legal proceedings for having failed to implement an appropriate level of security.

Minimising the risks
Clarity of thought is crucial in assessing the particular risks that the business needs to address. The business must consider what process of assessment it will follow and agree this between the senior management and the Information Security team. This process may be informal, but frequently organisations are assisted in developing an effective strategy by committing the agreed approach to writing in a formal security risk assessment document. While 81% of companies report that their Board of Directors gives a high priority to information security, only 55% of companies in fact have a documented security policy. IT Directors will probably sympathise, as they often find that getting buy-in from senior management to what they are proposing is difficult, with competing calls on the company's budget and those not related to the IT sector viewing security solutions as "out of sight and out of mind". Organisations cannot overlook the human factor in any security risk. It is extraordinary how frequently and easily employees can be persuaded to divulge their security login details to others, or alternatively how often they write passwords down and leave these on a sticky note on their desk. Whilst companies will never be able to completely eliminate the risks inherent in lapses by individual employees, it is important that employees themselves are aware of the risks that an organisation faces and their role in combating those risks. Employers need to guard against the perception frequently held by employees that security is a barrier to them doing something that is either necessary or desirable, so this is an issue where education is vital. The costs involved in dealing with security breaches can be significant and of course this is not just a calculation of pounds and pence. Dealing with an incident can have brand damage consequences, involve significant amounts of management time and cause huge disruption to the smooth running of the business. The BERR report referred to above recorded that the average total cost of a typical UK company's worst security breach incident was between £10,000 and £20,000. This type of statistic may assist IT Directors in getting buy-in from senior managers as to the importance of conducting appropriate risk assessments, tailoring policies to meet specific needs and implementing the best technical solution.

Conclusion
There is always a temptation to avoid taking action until the need becomes urgent but, as in so many areas of corporate risk, pre-empting the danger can save businesses money in the long-term. What is required is a determined effort by IT teams to bring home to senior management the possible consequences of a security breach; to engage in a dialogue to overcome what may be a lack of understanding and awareness amongst those managers; and to educate not only the managers, but also employees, as to why an appropriate risk assessment is essential to protect the interests of the entire business. With the dependence on IT systems within all businesses becoming even more widespread, for an organisation to fail even to consider the internal and external threats posed to its network is an act of folly that could cost the business dearly. As with other risks, organisations may only appreciate the true cost of inaction when it is too late to prevent the damage being done. As a minimum, businesses should therefore: Conduct a security risk assessment, analysing the risks specific to the 1. organisation. Tailor the organisation's AUP and software solutions accordingly.2. Educate managers and employees as to the risks and why steps must 3. be taken to safeguard the business. Maintain a dialogue between Information Security and senior 4. management teams so that the risks, and the defences needed, continue to be understood. Review the organisation's strategy regularly in the light of emerging 5. threats such as Instant Messaging. MessageLabs Hosted Services provide an easy and affordable way to secure, control and manage email, web and instant messaging communications. Cheaper, quicker & easier to deploy than in-house solutions, MessageLabs Hosted Services deliver proven technology from a market leader, allowing IT Managers to free up resources & concentrate on running their business.

This article is kindly provided by MessageLabs