Top 10 common IT risk assessment errors

When enterprises try to make better decisions on IT security, the most important thing is IT risk assessment. However, although enterprises carry out risk assessment, they often encounter some errors, which greatly reduces the effectiveness of risk assessment. The following are 10 risk assessment errors that enterprises need to avoid.

　1. missing third-party risk assessment

Most IT risk experts believe that most enterprises do not assess the risks of the infrastructure of suppliers and other partners, which usually touch the most sensitive data of enterprises.

Brad Johnson, vice president of SystemExperts, a consulting firm, said, "Many companies are not doing enough to manage relationships with third-party suppliers. When an enterprise does not perform its due diligence (whether before or after the contract is signed), it is bound to miss the key details, which will increase the risk. For example, a customer company may not know that its suppliers store its regulated data on the public cloud ."

　2. Evaluation is too quantitative

True, analysis and figures are important for risk assessment. However, enterprises need to understand that this digital game does not need to be perfect, especially when it comes to evaluating the impact of security leaks.

"The evaluation of the impact of security incidents makes it easier for enterprises to discuss and focus on how to mitigate risks, rather than spending a lot of time discussing whether the impact is worth $20 million or $21000, dwayne Melancon, chief technology officer of Tripwire, said, "When you determine that the impact of an accident is catastrophic, painful, or no big deal, you can discuss how much you want to spend to mitigate the most serious risks."

Excessive analysis may drag down the entire evaluation process. Enterprises should avoid taking too long to classify risks. Manny Landron, Senior Manager of security and compliance for the SaaS division of Citrix Secure File, said that there are also some qualitative risk factors that enterprises need to find a way to incorporate into the evaluation. "Too narrow focus, strict quantitative measurement, no framework, and insufficient periodic risk assessment are all errors that enterprises need to avoid ."

3. The evaluation looks too short

This is no exception, said Jody Brazil of FireMon, a firewall management company. Most large enterprises tend to ignore key assets and evaluation indicators in their risk assessment. He said, "the most common problem is that the vulnerability is identified as a" risk "and there is no other information. For example, the vulnerability may provide access to or be exploited to Data, it is also possible to mark an individual as 'Risky 'without marking a specific risky asset."

Most companies do not track their infrastructure assets to evaluate them well. More importantly, even if they often assess the complete dataset, it is usually carried out in separate isolated islands, making it difficult to understand the interdependence.

"Sometimes the evaluation focuses on very specific applications, but doesn't look at the entire infrastructure, for example, the evaluation may only check the applications that protect the database, rather than the overall computing control, such as encryption, firewall, authentication and authorization."

4. The evaluation did not consider the business background

IT risk assessment is based entirely on background knowledge, whether IT is the system or business situations mentioned above. If an enterprise does not add vulnerabilities and threats to the background knowledge of information assets, their importance to the business cannot be truly reflected in the risk assessment.

Amad Fida of Brinqa, a big data risk analysis company, said, "when evaluating risks, the Chief Information Security Officer often lacks an understanding of the business background. In other words, they need to ask, 'What data is accessed and Its Influence on the business? 'The business analysis results are not considered to provide a technical point of view, rather than the business plus technology point of view ."

5. IT risk assessment is not included in Enterprise Evaluation

Similarly, enterprises need to understand the interaction between IT risks and all other risks. Generally, enterprises regard IT risks as their own risk categories without considering their broader impact.

Johnson of SystemExperts said, "More and more risk-aware enterprises are realizing that IT is part of their business success. They are all trying to ensure that IT is involved in business risk conversations, many enterprises have cross-functional teams. They check risks as a whole to better understand dependencies. These teams recommend that enterprises focus on risks from the business perspective."

6. No assessment or missing Assessment

Experts warned that the current risk assessment by enterprises is often insufficient. This is the only way to respond to changing threat environments. Luke Klink, a security consultant at Rook Consulting, said: "regular risk assessments allow enterprise managers to effectively use their security budgets. Through detailed risk assessment, we no longer need to use the "spray and pray" protection method, but to implement real risk management in actual ways ."

Currently, the most advanced enterprises are conducting continuous monitoring based on the NIST method to better understand the environment and improve the evaluation interval. He said, "This method provides better visibility into risks, response readiness, and minimizes overall risks. In reality, security risk ing Gu should continue, even embedded in the event response management process of an enterprise, each event triggers a high-level risk assessment. If key risks are identified, enterprises can perform more detailed risk assessment ."

7. Too much reliance on evaluation tools

Automated tools to help enterprises continuously monitor IT assets should not be the full scope of risk assessment. This is because some risks must be discovered through in-depth mining through manual penetration tests. Benjamin Caudill, founder and chief consultant of the Rhino Security lab, said: "In general, the most important risk can only be found through specialized manual analysis, such as the logical defects of the website. The Chief Information Security Officer should pay attention to this issue, because relying too much on risk assessment tools will bring false security and cannot identify some vulnerabilities ."

8. Perform a vulnerability-centric Assessment

When enterprises assess technical vulnerabilities to determine risks, they often forget that the security or insecurity of data is a risk factor, rather than a system that carries data.

Barry Shteiman, Security Strategy director of Imperva, said: "risk assessment is usually vulnerability-centric, not data-centric. IT usually chooses to protect Platforms containing data, without really understanding what data is contained in the system, and who is accessing or accessed the data."

Enterprises should keep in mind that the impact of vulnerability risk factors on internal network infrastructure may not be as high as that of users accessing IP addresses or infected with IP addresses.

9. Forget to measure people's risks

Similarly, companies must remember that system and software vulnerabilities are just a component of risk assessment, says Joseph steberger, CEO of Green Armor Solutions. The impact of human behavior patterns on risks may lead to ineffective final risk assessment results. For example, the risk assessment may confirm that only the right person can access sensitive data. However, the evaluation may not assess whether employee training is conducted to protect data.

10. forget to consider the physical security of the device

When an enterprise runs its evaluation, physical security is often overlooked. Physical security of facilities usually directly affects internal technical assets. Physical security not only affects the security of employees, devices, or hard copy data assets, but may also be used to implant secret devices to allow attackers to launch attacks remotely.