Every day we hear new stories about data breaches and cyber threats. Medium to large companies are starting to see information security as an essential part of their operations. While some are still taking a reactive and piecemeal approach, others are starting to understand that a comprehensive risk management program is needed. Information security threats come in many forms, via many avenues and they are evolving rapidly. Risk need to be identified, treated, managed and monitored over time – this is risk management.
So how is your personal information security? No doubt you have a lock on your door and probably have anti-virus software and firewall software installed, but what else? Do you understand your risk exposure and have remedies in place to deal with the worst risks? Most of us have personal information that may be on work or private computers, smartphones, tablets or other devices. Perhaps you have a folder at home containing important documents, passwords, bank statements and birth certificates. What would happen if this information is lost, damaged or stolen? What would happen if you loose your laptop or if your house burns down with all of your important documents inside?
Taking a risk management approach to your information security will enable you to identify and prioritise risks and then treat the most important of these risks.
To get you started, here’s a simple risk management assessment and mitigation process that you can use as an individual, or even as an employee.
- Assets. The first step is to identify your assets at risk; these could be computers and other devices, tax records, identification documents and employee records. Next take your asset list and classify according to sensitivity. For example; critical, secret, confidential, important and public. Choose a scale that works for you. Try to think about all the different places where you have sensitive information: in the home, at the office and stored online.
- Identify. To identify risks you can use the “if/then” statement approach. For example a risk could be “if my password records are discovered, a criminal will be able to use my online bank account to transfer money on my behalf”. Don’t go overboard, limit yourself to 20 risks.
- Impact. Next, you want to assess each risk in terms of its impact on your life, employment or business and in terms of likelihood and probability. You could use a scale of 1 to 10 for each attribute (risk) or use a qualitative assessment. For example, you may judge that the risk of somebody breaking into your house and stealing your computer has a low probability of 3/10 but a high impact of 8/10. Or, you may simply record that the likelihood is “low” but the impact is “high”.
- Prioritise. Now you are ready to prioritise your risks. Higher risks at the top and lower risks at the bottom.
- Treat. You now have a list of classified assets and prioritised analysed risks. The next step is to treat these risks. For each risk consider if you want to mitigate, accept, transfer or eliminate. This is when you decide to install an antivirus application on your computer or add an extra bolt to your front door. The mitigation of the risk may also be the establishment of a new process like checking your bank account online every week to identify any abnormal activities. You may also decide to accept some risks, or to transfer a risk by buying insurance coverage. Now you able to manage your risks systematically and rationally. No more charging out to buy some new piece of software that may not actually deal with your most important risks.
- Monitor. The last step is to “continuously” monitor your risks and treatments. Periodically, you should go back to your asset classification, risk assessment and treatment and re-analyse the lists. Have they changed? Do they need adjustment or removal? Do you need to add some new risks?
This process may seem complicated and long at first. It does not have to be on paper at the beginning; you can start by following it mentally. You will be surprised by the findings. Many of us will discover that all our important personal information is on our private computer, but that no backup is in place if the hard drive crashes. If you are very active online, you may decide that the way you record passwords is too risky and conclude that you need a proper password management solution.
What’s important is that you develop a non-reactive, systematic approach to understanding and managing your particular risks. You can’t achieve this by doing random improvements or by copying what someone else is doing. To be effective, risk management needs to be specific to your situation and maintained over time.