Risk Assessment: Seven Myths Busted

Concepts that we don’t fully understand are usually surrounded with lots of stereotypes. One of the greatest myths of all time, the concept of the Flat Earth that stands on backs of three elephants, was based entirely on old prejudice, yet a lot of people believed in it. Some myths about risk assessment are equally naive, however, many organizations continue to develop their security policies in accordance with these stereotypes, which undermines their security posture and makes them more vulnerable to cyber threats.

Netwrix is ready to prevent IT pros from falling into a trap of existing myths around IT risk assessment. Below, we summarize the most widespread misconceptions that prevent organizations from carrying out risk assessment properly:

Myth #1. IT risk assessment is a very expensive and complicated activity.

WRONG. The complexity and cost of risk assessment depend on the scope and the processes involved. There are actually many easy ways to perform risk assessment, such as using a risk assessment matrix to evaluate and prioritize risks based on their impact to the IT infrastructure. Even simple measures, like maintaining a spreadsheet with risks labeled low, medium and high, can help you evaluate your security posture without buying anything or hiring any consultants. If you opt for a IT risk assessment software solution, be sure to look for automation and integration capabilities that will streamline implementation and use.

Myth #2. If my enterprise doesn’t process large volumes of data, I have nothing to worry about.

WRONG. The truth is, enterprises generally have the means to implement more sophisticated security measures than SMBs, and attackers know it. Since both types of organizations store valuable data, they choose to go after the data that’s less protected, even though there may be less of it to steal. Moreover, sometimes, a small amount of extremely confidential information is much more valuable than a huge amount of data. For example, a small government contractor that has access to secret government projects is a far more tempting target than a large organization that stores a ton of everyday emails and company picnic photos.

Myth #3. Risk assessment is a one-time activity. If you have done it once, you are ok.

WRONG. Both your IT infrastructure and the threat landscape are constantly evolving, so you need to repeat the risk assessment and mitigation process on a regular basis to spot new weak spots and fix them before a breach occurs. Making risk assessment a part of your routine will help you stay up to date in your cybersecurity efforts and maintain compliance with HIPAA, GDPR, ISO 27001 and other standards.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

HIPAA Security Rule, Sections 164.306–308

Myth #4. Analyst and research firms are creating an artificial demand for risk assessment.

WRONG. Risk management is more than just a buzzword. It is an essential part of many compliance standards (including NIST SP 800-171, HIPAA, GDPR and ISO 27001) because it helps organizations reduce risk by evaluating and improving their security posture.

For example, section 3.11 of NIST SP 80—171 says that organizations have to re-evaluate risks to their IT environment on a regular basis and remediate security problems according to the results of that risk assessment.

Similarly, section 164.308 of the HIPAA Security Rule requires organizations to perform risk assessment periodically and include the following activities in their security management program:

  1. Evaluate the likelihood and impact of potential risks to e-PHI.
  2. Implement appropriate security measures to address the risks identified in the risk analysis.
  3. Document the chosen security measures and, where required, the rationale for adopting those measures.
  4. Maintain continuous, reasonable and appropriate security protections.

The GDPR does not specify how organizations should assess risks, but Article 32 requires controllers to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” And Article 35 encourages them to “conduct data protection impact assessments for high-risk processing activities”.

Myth #5. There is no real value in risk assessment; organizations do it just for show.

WRONG. In fact, risk assessment is a very powerful tool for making real changes that improve security. The 2017 Netwrix IT Risks Report found that lack of involvement of senior management was a problem for 32% of IT pros looking for additional budget for new IT security measures or personnel. Risk assessment can help you highlight risky areas to C-level executives and educate them about the likelihood of data breaches and their financial implications, which will help you justify the budget you request for improving data protection.

Myth #6. Everything is fine with my organization; we don’t need risk assessment.

WRONG. A false sense of security is one of the worst things that can happen to an organization. No matter how strong your control processes are, you do have vulnerabilities, and thorough risk assessment will help you ferret them out, prioritize them and take appropriate remediation steps. As your IT environment changes and threats evolve, new vulnerabilities will emerge, and you’ll need to repeat the process.

Myth #7. We have insurance, so it’s not a big deal if we don’t have risk assessment.

WRONG. Many organizations believe that insurance will cover data breach costs and protect them from individual and class action lawsuits. But that’s not true. For example, if an investigation reveals that a data breach was completely your organization’s fault, there is no way you will avoid fines and other sanctions. Moreover, insurance won’t save you personally from losing your job in case of a data breach. If you hold a senior management position, you will be the first in line to take the fall.

The best examples of how insurance fails to completely cover you in case of a security incident are the Target and Equifax breaches:

Target. Retail giant Target was hit with a massive data breach incident during the holiday season of 2013. Target’s costs related to the data breach totaled $252 million, of which just $90 million was covered by insurance. Those costs include defending various lawsuits from banks and customers, security investigations, and data and network restoration. Plus, two major executives resigned: CIO Beth Jacob and CEO Gregg Steinhaffel.

Equifax. In May of 2017, cybercriminals accessed Equifax files containing the personal data of 143 million people. The company holds an insurance policy that will probably cover about $100–$150 million of the costs. The data breach has cost the credit bureau $87.5 million so far, but the eventual total cost could very well be many times higher than the insurance payout, given the large volume of data exposed and the final cost of other famous breaches like Target and Yahoo. Three Equifax executives, the CIO, the CSO and the CEO, retired within a few weeks after the breach was made public in September.

Next steps

If you want to develop stronger security policies and safeguard data against breaches, the first step you need to take is understand that myths about risk assessment are nothing more than a relic of the past. Debunking popular myths has always been the best way to achieve progress. For example, the concept of the Flat Earth used to define the way people think until proven wrong by Magellan–Elcano circumnavigation; later, this remarkable discovery resulted in a big leap in the development of science.

Now that you understand that these myths about risk assessment are wrong, you can move on to the next step: building an effective risk assessment program. Being able to identify and prioritize security risks will help you mitigate cyber threats and simplify compliance with various standards, such as GDPR and HIPAA.