Why Existing Compliance Programs Won’t Always Protect You from IT Risk

Risk is a business concept, in that anything that threatens an organization’s ability to achieve its financial goals is considered a business risk. When it comes to IT risk, many organizations rely on compliance regulations and standards to enforce security and reduce cyber-risks.

However, the scope of these regulations and standards are often narrowly focused to specific aspects of the business or type of data handled, and don’t provide a comprehensive evaluation of the state of security surrounding the entire IT infrastructure.

With an ever-changing threat landscape, an increase in the number of cyber-attacks, and sophistication of new threats, it’s critical that organizations methodically evaluate IT risk with enterprise-wide assessments and don’t rely solely on a check-the-box compliance strategy to mitigate threats and vulnerabilities.

COVID-19 Changes

The COVID-19 pandemic is a prime example of a risk that took most companies by surprise; and one where compliance requirements did little to help mitigate the rise in security vulnerabilities.

COVID-19 has:

  • Forced businesses to reevaluate how they operate
  • Created talent shortages due to furloughs and layoffs
  • Increased security risks due to home network vulnerabilities, VPN issues, cyberattacks through email and phone, malicious video conferencing, and more

The need for enterprise-wide IT risk assessment is especially clear during times of disruption. Organizations must be diligent in identifying, evaluating, and mitigating technology risk to protect confidentiality, integrity, and availability of IT assets.

For more details, please see a Cybersecurity Checklist for Remote Work.

Bolster Security with IT Risk Assessment

An IT risk assessment aims to provide a comprehensive evaluation of an organization to identify potential threats and countermeasures to reduce the risk. No organization can completely eliminate risk, so an IT risk assessment helps determine which vulnerabilities present the most risk to the organization.

Some benefits of conducting an IT risk assessment include:

  • Understanding your risk profile
  • Identifying vulnerabilities before they’re exploited
  • Facilitating decision-making around the company’s security strategy
  • Justifying security investments
  • Evaluating the strength of existing policies and controls
  • Enhancing compliance with legal requirements

Identify Vulnerabilities

Three factors play into risk determination:

  • Threats to an asset
  • Vulnerabilities associated with the asset
  • Importance of the asset

The first step of the risk assessment process is to understand and identify all assets within the organization; this includes hardware, software, and data. You’ll also need to classify each asset. For example, if a system holds sensitive or proprietary information, it should be classified as high-risk.

The next step is to identify threats to an asset, such as:

  • Hardware or software failure
  • Malware
  • Human-error
  • Hackers
  • Denial of service
  • Natural disasters
  • Pandemics

Then, identify the vulnerabilities to the asset. A threat can exploit a vulnerability to breach security and harm your organization. Vulnerabilities can be identified through vulnerability scanning, security assessments, the NIST vulnerability database, vendor data, and the Cybersecurity and Infrastructure Security Agency to name several examples.

Analyze Controls

Now, analyze the controls in place to minimize or mitigate the probability a threat will exploit a vulnerability in the system.

Controls can be implemented through technical means—such as antivirus, encryption, intrusion detection mechanisms, and identification and authentication systems. Examples of nontechnical controls include policies and procedures, access reviews, and physical and environmental monitoring.

Next, assess the likelihood of a vulnerability being exploited and the impact it would have on the asset. The type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of the controls all need to be accounted for to determine the risk level.

Develop Risk Mitigation Plans

Once the level of risk has been determined and documented for various assets, action plans for risk mitigation need to be developed.

The final step in the risk assessment process is to develop a risk assessment register to support management in making appropriate decisions on budget, policies, and procedures. For each threat, the register should describe the corresponding vulnerabilities, the assets at risk, the impact on the IT environment, the likelihood of occurrence, and the control recommendations.

There are a number of IT-risk register templates and risk-assessment frameworks available including NIST SP 800-39, ISACA Risk IT Framework, and HITRUST Risk Management Framework. Each organization needs to determine the best fit for its needs based on its current enterprise risk management approach.

Common Pitfalls

There are several common pitfalls that could weaken the overall effectiveness of an IT risk assessment.

Limited Approach

An IT risk assessment shouldn’t be treated as a stand-alone evaluation, separate from enterprise-wide risk management. Technology plays a key role in achieving an organization’s strategic initiatives, and IT risks should be evaluated with consideration to the business impact and aligned with the organization’s risk appetite. IT decisions and investments made in a vacuum can be counterproductive to business goals.

Infrequent Assessments

The second pitfall is performing the assessment once or infrequently.

Given the frequent changes in technology and increased frequency and sophistication of attacks, new threats and exposures should be evaluated annually, at least, or whenever there are major changes made to technology systems and operations.

Unclear Strategy

Some organizations fail to create a clear roadmap and strategy to address findings from the risk assessment. This leads to lack of senior management support and increased exposure as threats remain unmitigated.

To combat this, focus on business reasons for each improvement implementation to help management understand the need for risk mitigation.

Organizations most prepared for risks are those continually evaluating and evolving their approach and strategy. If there are any benefits to be gained from the pandemic, it’s increased awareness of the importance of being prepared for unexpected risks and why compliance isn’t enough to keep organizations secure.

We’re Here to Help

If you have any questions regarding your existing IT risk and compliance program and how to make improvements, please contact your Moss Adams professional.

Note on COVID-19

During this unparalleled time, we’re closely monitoring the COVID-19 situation as it evolves so we can provide up-to-date guidance and support to help you combat uncertainty. For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: