Risk Management Types – SY0-601 CompTIA Security+ : 5.4

Every organization participates in some type of risk management. In this video, you’ll learn about risk assessment, multi-party risk, and risk management strategies.

If you’re assessing risk in your organization, then you need to identify all of the assets that could be affected by some type of security event. If you know the risk associated with the asset, you can then start making business decisions on how to better protect that asset. This might be hardware that you own, it could be customer data that you have in a database, or it could be the intellectual property of your organization. We should also understand what the results of this threat might be. We may lose data if we have a particular security event, there could be a disruption of services especially if there’s a denial of service or an outage of some kind, and all of these need to be considered when we’re deciding how to deal with risk in our organization.

We should also determine the severity of the risk. Is this something that has a very low risk, or is this something with a very high risk. That’s certainly going to affect what plans we put in place associated with that risk. And we need to consider the total risk for the entire organization, including this risk going forward. Things that happened today can have long lasting repercussions, and we need to have the right security tools and processes in place to deal with these risky situations.

Many times we think of risk as something that’s external. This might be a hacker group that’s trying to gain access to our data, or this might be a former employee who has an understanding of our infrastructure and they’re using that knowledge for their own personal gain. But these threats could also be inside your organization as well. It might be the employees who are coming to work every day and sitting at a desk inside of your building, or it could be partners who are taking advantage of the access they already have to your network.

We often hear of disgruntled employees who have access to the internals of our network and they use this access to create a security event. And if you don’t pay attention to the assets that you currently have, those assets could be used against you. If you have legacy systems that may be running outdated operating systems, or older software, you may find that those devices are no longer supported by the manufacturer and there may be some significant security concerns with the software that’s running on those systems. As these devices become older, it becomes even more difficult to find security patches and it’s often better that we replace these legacy systems with something that can be better supported.

Sometimes security breaches may involve more than just one entity. It could be that your organization and many others are involved because all of your networks are connected in some way. An example of this occurred in May of 2019 with the American Medical Collection Agency. This was an organization that provided debt collection for many different organizations and they had a data breach on 24 million individuals. This collection agency handled services for 23 health care organizations. So that one data breach now affected 23 other companies who then had to reach out to their customers and let them know that their data had been compromised.

We spoke earlier of intellectual property theft, and this can be significant if your organization has a lot of IP’s such as ideas, inventions, and creative expressions. Third parties could gain access to your intellectual property through no fault of your own. It could be that someone has a mistake in how they set up permissions in the cloud and now all of that information is available to the world, or it might be someone who is actively hacking your systems in order to find this intellectual property, or it may just be someone inside the company who has access who decides to take advantage of that access. If you haven’t already identified what intellectual property you might have, that would be a great place to start so that you can then protect that IP. And you want to be sure that you educate your employees and increase your security as it relates to this intellectual property.

Another risky area of concern is the software compliance in your organization, or how you handle application licensing. You don’t want to be in a situation where you have too few licenses and your employees aren’t able to do their job, or perhaps even worse you’ve spent way too much money purchasing licenses that are unneeded in your organization. If you’re not following the correct licensing, you’re either losing money by overpaying or losing money by not having the resources you need. It’s important to understand exactly what your licensing requirements are and that you’re purchasing and managing those properly.

So now that you understand the risk, how do you manage that risk? It may be that you manage it by saying, we’re fine with where we are and we’re not going to make any other changes. For example, you know that there could be a third party that would perform a phishing attack against your organization, but you already have anti-phishing software installed on everyone’s machines. You could decide to train everyone specifically on the concerns associated with phishing, but there of course is a financial requirement for that, so you could decide to accept the existing risk and instead of training your users you’ll instead rely on your software.

You could also make changes to your business processes so that you no longer are participating in these risky activities. For example, you could choose to stop using certain outdated applications in your environment and instead use alternatives. Some organizations are very concerned about risk, especially as it involves malware and ransomware. Instead of taking the full risk of those situations should they occur, they’ll instead choose to purchase cybersecurity insurance which might help financially if one of those events does occur. Or maybe that we decide to decrease the risk level through mitigation, we can purchase additional software and hardware to help prevent these types of security events from occurring.