Of course, it is always clear that “risk” is the possibility of something inappropriate happening. What is not clear is how likely it is, what its nature is, and what damage it can do to an organization.
Betting on any event means the possibility of financial loss – the wrong result. Deciding whether we want to take this risk means calculating the odds of winning or the odds of losing. We can implement measures to reduce the possibility of danger and establish strategies to manage possible unpleasant results.
Information security management is being aware of all the elements involved in a specific risk and its relationship with your company (company, web presence, etc.). This is an essential basis for calculating risk. Knowing the threat means being able to assess it: we can choose whether we want to accept it, wait and see, or simply avoid taking it.
In the field of information security management, professionals must answer four main questions:
1. What can happen (threat)? Private customer information (especially, but not only, credit card numbers) can be stolen through an insecure network, through cracked passwords, flawed cryptography, or by non-dependent employees.
Web pages can be hacked and inappropriate content can be displayed. Business processes could be affected by web attacks, blocking normal business operations.
Identifying risk points is the main task of information security management professionals. Normally, due to the technical training of most professionals, there is a bias to focus on technical problems. In fact, there are often myriad possibilities to attack a computer system.
2. How bad can it be (impact)? Companies are responsible for keeping private information secure. Failure to keep this information secure can result in costly claims. Disclosing intellectual property through security negligence can result in an undue competitive disadvantage.
The company’s reputation can be seriously damaged. Cash flow can drop for the entire duration of a web attack on company servers, and typically for some time after the fact.
3. How often can it occur (frequency)? The short answer is: much more often than you think. The absence of bad news in the newspapers should not allow you to have a false sense of security.
Sometimes the victim is unaware that the company has been hacked. Of course, if any credit card has been charged without authorization, the owner will demand the return. However, it is not always clear where the security flaw exists.
In other cases, a company’s intellectual property has been illegally copied and used without consent. In many cases, the rightful owner won’t even have a clue about this problem.
4. How dependent are the answers to these three questions (uncertainty)? Although you can be sure that the risk exists, there is no easy way to estimate how often it occurs. You can be sure that it happens, you can’t know when and where.
Consider the security of your company’s virtual data and have an information security management professional assess the gaps. If you take a “wait and see” approach, you risk an attack on your company documentation, databases of proprietary information, and perhaps intellectual property.