Risk Processing

In Brief

A company that seeks to protect itself will try to deal with any risks (threat – vulnerability – impact) confronting it. To do this, the company could work along fairly formal lines:

• formal risk management process, catering for the important and vital assets of the company
• the application of best practices for the various types of assets, without carrying out a formal risk analysis
• analysis of the most widespread threats for certain types of assets and the application of appropriate measures
• analysis of the most feared impacts and application of the measures necessary to prevent them
• analysis of the most easily exploitable vulnerabilities and implementation of measures to reduce them.

It is still recommended to use a formal risk management strategy. But given that this strategy is fairly complex, a company may well plan to proceed using a less formal method, mainly based on ‘quick wins’ or experience and best practices.

For dealing with risk, a company will usually have the following options:

• lowering risk by applying measures
• avoiding risk by stopping the process in question
• transfer of risk to another entity (outsourcing)
• upholding risk (no treatment is economically desirable).

Risk Management Strategy

Risk management is the best way to deal with risks. Without the right tools, this strategy is unfortunately outside the scope of most organisations, for reasons of cost and complexity.

Before setting off on this road to excellence, a lot of companies prefer to opt for a more pragmatic strategy.

Best Practices Strategy

A company which has decided not to proceed with the risk management method can achieve a high level of security at any time if it adopts best practices relating to the various types of assets. This strategy, however, is not enough if the company has very specific needs in terms of security.

It could also prove disadvantageous in terms of costs for companies with low-security requirements, as it proposes the introduction of best practices without considering the true needs of the company.

The adoption of best practices is recommended in the following fields:

• best practices relating to the protection of company data; how to classify data, backups, transfer, transportation and definitive destruction
• best practices relating to the protection of company machines; computers, laptops, file servers, mail servers, web servers
• best practices relating to the protection of networks; fixed networks, Wi-Fi networks, remote working
• best practices relating to employee and/or client awareness and training
• best practices relating to the organisation of security
• best practices relating to physical security
• best practices relating to social networks
• best practices relating to business trips.

The adoption of best practices in the following fields is also advisable:

• best practices: email
• best practices: malware
• best practices: e-banking, e-commerce
• Security checklist for web applications in PHP

Non-Exhaustive Strategies

To deal with risks, a company may decide to implement a risk management process and implement best practices for different types of assets.

Besides these more or less exhaustive strategies, which all focus on the protection of different important and vital assets of the company, each company could start thinking about threats and vulnerabilities. This approach is not exhaustive and should not be deemed to be sufficient, as it does not focus on the important or vital assets of the company.

Threat Analysis

A threat analysis can be treated as an optional approach enabling a more detailed study of certain threats and ensures that no threat has been overlooked in the risk management strategy or the strategy based on best practices.

See: Check list of security measures for SMEs

• Threats to infrastructure
• Threats to software
• Threats to hardware
• Threats to human resources
• Legal aspects

The most widespread threats are:

• malicious software (malware)
• malicious websites
• social engineering
• phishing
• theft
• breakdowns

Analysis of Vulnerabilities

The analysis of vulnerabilities is nothing more than an optional process running alongside the treatment of risks through the implementation of a risk management process or the implementation of best practices.

Without going into too much detail, we can list four types of vulnerabilities that should be addressed. By implementing security measures, we aim to lower these vulnerabilities and reduce risks.

• Human vulnerabilities
  Fear, curiosity, libido, greed and pity are examples of human vulnerabilities. These vulnerabilities can be easily exploited on people who are ill-advised or unaware of the issues.

• Organisational vulnerabilities
  Without decent organisation, security measures cannot be effective or efficient. A charter or even a security policy should be introduced.

• Technical vulnerabilities
  There are many technical vulnerabilities. Errors in the operating system, software, missing or erroneous firewall rules, etc. Security measures must be introduced to mitigate these technical vulnerabilities.

• Physical vulnerabilities
  In terms of physical security, many companies have a lot of weaknesses that it is important to eliminate.