How to assess and manage the risks to your IT systems

The Information Security Breaches Survey, produced by the Department for Business, Enterprise and Regulatory Reform (BERR) in 2006, shows that although there were fewer security breaches than two years ago, the statistics are still worrying:

  • 62 per cent of UK businesses suffered a security incident in the last year.
  • Although the frequency of incidents has reduced, the average cost of a company’s worst incident was £12,000, compared to £10,000 in 2004. The average cost to a large business was over £100,000.
  • Although anti-virus and patching disciplines have improved, the threat from spyware has increased. One in seven severe breaches was the result of spyware.
  • Identity theft is also on the increase. Only 1 per cent of companies adopt a comprehensive identity management strategy.
  • Although the security of wireless networks has improved overall, two out of five wireless networks are unencrypted and one out of five has no security whatsoever.

Analysing the risks

Risk management is a structured way of controlling the risk to your IT systems. As part of this, risk analysis is a formal process used to determine risks and develop a plan to deal with them. A risk-analysis process involves:

  • understanding risks to the business and how they can occur
  • understanding the potential cost to the business if they do occur
  • identifying suitable and effective measures to minimise the likelihood of occurrence, prevent or detect the threat, and enable appropriate recovery action

Risk can be quantified in straightforward ways:

  • threats are identifiable through research
  • vulnerabilities can be determined through review, testing and audit
  • likelihood can be determined based on statistical research

Once a measurement of risk has been agreed, you must assess the impact of a security event on the successful operation of the business. Having done this, you should apply controls or countermeasures to address the risks.