Identify risks and build your cyber-response program

jack-o-lanternWhen developing your cyber-response plan, you need to know which risks you need to be concerned about, based upon your business. Think carefully about who might want your data and why they would want it.

As you prepare the risk statement, it might help to break your risks out in these areas.

  • Natural or human risks, which can be either accidental or malicious
  • Physical risk, which can include lost or stolen devices, as well as broken locks
  • Technology risk, which includes all hardware and software
  • Data risk, by individual element, in every location the data resides and by each technical or human access method

Gathering this intelligence is crucial—each bit of data gives cyber criminals fodder they can steal, sell, hold for ransom or use as a weapon.

Just as each bit of data carries risk, each has a value. Simple personal data such as name, email address or phone number are all valuable. If the data spans nations, it has more value. Add health information, Social Security numbers, any financial data and the bounty goes up even move. Top that off with background-check data, military records and special categories of data such as religion, sexual orientation and political affiliation, and the value of the data increases exponentially.

Look at the data you have amassed about each employee, and then imagine the data those individuals may have volunteered through social media and other Web venues. When gathered in one place, these paint a picture that can be very useful in making money and wreaking havoc. Each location that data is stored increases that risk.

Your infrastructure and all your applications have vulnerabilities too—no hardware or software is without flaws. Knowing the threats, vulnerabilities and control weaknesses should make you wary of storing information in multiple locations, as each adds to the threat landscape.

A huge risk is posed by access; each person that accesses your data increases the risk. Unfortunately, humans are often the weakest link in the cybersecurity chain, and IT security professionals often say that insider threats, whether deliberate or accidental, are some of the most prevalent.

Knowing that threats can include your employees, and data accessed through employees is susceptible to virus and malware infections through simple spam and phishing attacks, should make the principle of need-to-know, or least privilege, easy to enforce.

Want to learn more? Download your free guide, How to Develop an Effective Cyber-response Program, today.