Risk Avoidance – CompTIA Security+ SY0-401: 2.1

There are many ways to widen the gap between yourself and risk. In this video, you’ll learn some different strategies for avoiding risk in your organization.

<< Previous Video: Vulnerabilities, Threat Vectors, and ProbabilityNext: Risks with Cloud Computing and Virtualization >>

In any organization you’re going to have risk. You have risk when you walk across the street. There’s risk when you drive a car. There’s risk when you go into business. And the real challenge is how you deal with that risk. There’s things you can do, like risk avoidance. In organization there may be things you’re doing where you just make a decision that’s just too risky, we’re not going to do that anymore. You’ve seen this a lot in universities and colleges that generally have a very open and broad access to the internet. And the problem is that people are taking advantage of that and downloading copyrighted materials, and the university is being served with legal papers. They may decide you know what, having that open access to the internet is good, but we need to start avoiding that particular risk. And let’s turn off the ability to do bit torrent, or the other types of peer to peer through our internet connection. You have to make that business decision on whether that’s something that you can avoid, or whether from a business perspective you can continue with that risk.

Another way to deal with risk is transfer the risk to someone else. If you’re concerned about a risk of a hurricane perhaps we should get insurance. So that should a hurricane hit we would at least be covered for part of that cost. And buying insurance is a very, very common way to transfer the risk that you have to someone else. Of course you have to make sure that’s risk that can be transferred not everybody’s going to want to give you insurance for a hurricane. Or if they do allow to have insurance it might be very, very costly, again a business decision that you have to make.

Sometimes risk is OK. You’ve balanced out what is good and bad about that risk , and you’ve just decided you know what, we’re fine with that. We’re not going to limit people’s access to the internet or we’re not going to worry about buying that costly insurance for the hurricane, we’re just going to take that on ourselves. And as long as you’re aware of that you can make a business decision associated with that. Accepting the risk is an absolutely proper thing to consider. There are also things you can do to help mitigate the risk. Maybe you can allow certain things to go through your network, you can allow people access to the internet, but maybe you should be scanning things on the inbound to make sure there’s no viruses inside of that. That nobody’s trying to take advantage of one of our servers, take advantage of a vulnerability.

So maybe we’ll buy some firewalls, some intrusion prevention systems to be able to mitigate that risk. So we’re spending money, we’re going through business processes because we want to be able to access the internet. But we’re going to put some things in place so if bad stuff comes through that link we’re going to stop it right there, and help mitigate, decrease, the risk level that we have associated with that activity. And ultimately, there may be a way to deter the bad guys from doing things that are risky in your organization, like a big dog. A big dog is a very, very good deterrent at home for security. Maybe doesn’t work so well in an organization. Maybe instead you have a lot of fences, you have technical security, you have firewalls and intrusion prevention, maybe of warning signs up on the outside, that says if you’re logging into this server know that we’re watching what you’re doing. Sometimes just having a little bit of deterrence can go a really long way.