I walked into a business the other day. After a long conversation about the client’s need for cybersecurity and the implementation of the ISO27001 security standard, we talked about their risk appetite.
"We don't accept any risk. We're risk-averse" said the CEO. But, is this achievable?
Given the complexity of our modern world, with diversity in the people, locations, services and technologies, can any organisation be totally risk-free, and therefore, can any business be totally free of the risk of a data breach?
The simple answer is no. It's not possible.
What is Risk?
Why is the topic of risk so important? Because it is at the heart of everything, we do. We are ALL risk managers and risk takers. Allow me to illustrate:
- Going for a jog? – Risk of injury, health issues arising, being late for a meeting.
- Crossing the road? – Risk of tripping, being hit by a car/pedestrian/cyclist
- Making a cup of tea? – Risk of burns, spillages, not getting it right for your partner!
- Starting a business? – Risk of failure, growing too quickly, neglecting personal life.
- Going on holiday? – Risk of bad hotel or terrible weather.
- Driving to work? – Risk of accident, car problems, traffic delays.
- Running a business – Risk of wrong/poor services, losing clients, data breaches.
These are just some of the possible examples. But the list goes on. We are taking risks from the moment we wake to the moment we go to bed at night.
Risk is unavoidable; therefore, we have to accept some level of risk and focus on the ones we cannot fully control. What we are actually looking to do is manage our exposure to risk.
Can organisations be free from the risk of a data breach?
Even though I'm a cybersecurity consultant, helping organisations to implement frameworks like ISO27001, ISO27701 and others, I am at pains to tell people there is no such thing as 100% secure.
If this news shocks you, please refer to the previous section – There is no such thing as 'Risk-free'. Look back at the previous list, and you'll see that the majority of the examples I've given rely solely on you and the decisions you make. Except for the last three; Going on holiday, driving to work and running a business. Consider all the 'moving parts' involved in driving to work, going on holiday or running a business. You're relying on forces beyond your control, such as the weather, local or national disturbances, industrial disputes, other road users, vehicle maintenance, market fluctuations, the economy, clients, suppliers, technology and your own employees.
Risk would be so much easier to manage if you were making all the decisions and taking all the actions. But most often, you're not. In business, it's impossible to operate in a vacuum; therefore, the risk of something going wrong is exponential based on the size and complexity of your infrastructure (both physical and technical).
If Data breaches are an inevitable risk, what can we do?
At this point, I'm going to sound as if I'm contradicting myself; I'm not saying you are 100% guaranteed to have a breach. I am saying that you're 100% more likely to have a breach unless you manage the risk appropriately.
This may sound like semantics but managing risk of any kind is about understanding the likelihood of something occurring and what the impact will be on you and those you care about.
Therefore, we are trying to reduce either the likelihood or impact of the risk occurring. It's rare to affect both, but if we can reduce the possibility of a risk occurring, that's a great place to start. If we feel the risk is inevitable, then reducing the impact of that risk is where we should focus our attention.
The key here is to have some form of risk management process in place, where risks are identified, their impact and likelihood assessed, and the controls you have in place to manage the risk fully understood.
Conclusion – We are ALL in the business of risk
When organisations tell me that they don't have a risk management approach, I know that typically it means it is not formalised or documented. We are all in the business of managing risk. We need to manage our exposure to the risks we face, and demonstrate that we have done something to control them.
In the UK, the Information Commissioners Office (ICO) governs the UK Data Protection Act and UK GDPR. If you are unlucky enough to have a data breach, they will fundamentally want to know four things;
- What happened?
- What did you do to prevent it?
- What did you do when it was discovered?
- What are you doing to prevent a reoccurrence?
Having a good answer to each of these is incredibly important. But the answer to the second point should focus on the fact that you considered the risk and put in place appropriate technical and organisational controls to reduce the likelihood or impact of it occurring.
Risk is an inevitable part of life. If we accept the fact that there is no such thing as 'risk free', the only question we have to answer is; "What are we doing to manage our risks appropriately?"
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.