Risk and reward

Trade

1 April 2005

The word ‘risk’ is one that is thrown around the security industry without pause for thought nowadays. So much so, if you were an impressionable end-user, it would be understandable if you every time you turned on your PC that you had a degree of trepidation about the potential cyber-risks you could be exposing yourself and your company to.

The less scrupulous elements of the security industry rely on and encourage end user fears surrounding IT security, or more appropriately, the user’s apparent lack of preventative measures in place to deal with an attack. I believe that it has got to the point where the most minor risk is now being positioned as a potential W2K haymaker and the industry in 2004 needs to take steps to address this imbalance.
The problem with assessing risk is that there really is no one-size-fits all approach to each user scenario. For example, is the risk any higher in the university where copies of a forthcoming exam paper have been mislaid and could easily be e-mailed around to students, than at the publishing house where a disgruntled employee could e-mail excerpts from a forthcoming novel without batting an eyelid?

The value of risk assessment
My view is that resellers selling security products need to help users understand the risks that they are facing now and are likely to face in the future. Moreover, the user has to be totally involved in the risk assessment process and be completely frank with the reseller as to where the key threats lie internally and externally to the organisation. Embarking on this process will help build a partnership based on trust and one that from the reseller’s point of view is likely to bear fruit in the future.
The first step to successfully completing a risk assessment is to focus on the key areas within the business that are security breach targets. Taking e-mail as a prime example – does the company have a policy in place stipulating when confidential data should be sent via e-mail, fax or by post? What mechanisms does the organisation have in place to prevent the dissemination of confidential information to unprivileged parties?
Taking a systematic approach to each facet of the company’s IT will enable the reseller and user to build up a genuine picture as to where the biggest risks truly lie and prioritise the areas that require policy, technology and training measures to be taken.
I would also suggest some kind of scoring system is assigned to known risks indicating those requiring urgent attention. Taking this approach will provide both the reseller and user with a quantitative means to move forward and find the right technology to minimise the threats to that particular business. In addition, the document will also act as a benchmarking tool to which both parties may refer when reviewing security measures in the future.

Not just an IT issue
Whenever looking at risk, we would recommend that the company look at what the threats are from an IT, business and legal point of view. Too often e-security issues are seen as the domain of the IT department, and I would argue that this is a shortsighted view to take in today’s climate. For example, the threat of opening up a virus-ridden attachment is a risk that strikes at the heart of the IT department, its systems and then on to the business as the virus takes hold. Can the same be said of the defamatory remark made about a customer on e-mail that inadvertently lands in that customer’s inbox? The answer is no, because that risk has now become a reality for the legal department and may require their attention.
For resellers to be viewed as true security experts, more and more end users are demanding a total service that will also explain to them some of the legal pitfalls they could be facing. Our advice to resellers is look to partner with legal experts that can provide, where necessary, advice to the end user. Not only will this provide a real value add for the customer, but will also enable the reseller to offer a new revenue stream as part of the consultative sales cycle.

Making it happen
The difference between a one-off sale and repeat business is more often than not, down to the relationship with the customer. By helping customers assess the types and levels of risk they face, resellers will put themselves in the best possible position to add value every step of the way. Risk assessment need not be the sole territory of the IT consultant. With planning and understanding of the customer’s situation, the reseller can provide a service that will help combat today’s and tomorrow’s threats without using ‘fear, uncertainty and doubt’ to close the deal. However, in order to make security effective in a business environment, it has to take into account three key areas and embrace them: people, policy and technology. True security takes into account the people in the business, caters to their needs and educates them as part of the ongoing solution, while combining that with clear and well-communicated policy that is supported and enforced by the technology that is implemented. Only by truly understanding the nature of risk in the first place can this approach be effectively administered.