‘Do-it-yourself’ IT Security Risk Assessment

In our previous post, we took a look at cybersecurity in small businesses. Within that article, was a small snippet focusing on risk management and how it played a role in ensuring a firm’s systems are secure.

This time, we take a more in-depth look at IT risk assessment. We here at Particular Presence composed a hypothetical IT risk audit in order to aid small business owners in identifying potential hazards.

Before we continue, some key terms must be explained:

Hazards – those elements that might cause harm to the business, such as natural disasters.

Risk – is the chance that something could be harmed by these hazards, along with an indication of how harmful this event might be.

Malware – a category of malicious code, which includes threats like viruses and Trojan horses.

Endpoint or Endpoint device– any internet-capable computer hardware device found on a network. This would include laptops, desktops, smartphones, tablets, printers etc.

Endpoint Security – this approach to protection requires a device to meet a set standard before being able to access a corporate network.

To simplify the process, we separated the audit into three (3) sections:

  1. Section I: Pre-Assessment – Where we identify the various hazards within your business.
  2. Section II: Assessment – The evaluation of risks and the precautions which need to be implemented.
  3. Section III: Post-Assessment – A review of the findings and the precautions taken to mitigate the issues.

 

Let’s begin the analysis with a case study:

“Deidre Green runs an appliance store containing a workforce of roughly ten employees. Of those ten employees, five work with her in the main office while the rest fulfil their duties on the ground floor. The office is where most of the company’s hardware and software is located. A collection of six workstations, a wireless printer, along with two wireless routers for the store, are all found upstairs in the office. On the store’s ground floor, three vending kiosks are all set up in order to quickly process customer’s orders. In addition to all the prior information, employees also have their own personal devices attached to the store’s network.”

*We assume all the technology in Deidre’s shop is configured to their default settings with little to no form of customization as it relates to security.

Before we move on, we’d like to give our readers an idea of what exactly they are trying to protect.

The following examples display the amount of sensitive data stored on the average machine, based on the individual’s level in the company.

Deidre’s workstation (Owner/Manager) contains:

  • A collection of Microsoft Word files which describe how the company does business, their trade secrets, supplier data etc.
  • Files with comparative data on the competition
  • Microsoft Excel Analyses on topics including sales and customer data
  • Sensitive employee data such as insurance, taxpayer and payroll information

The Accountant’s workstation contains:

  • Significant information on the business’ internal and external financial activities
  • Financial analysis data
  • Business accounting software
  • Excel files containing financial reports

The Human Resource Manager’s workstation contains:

  • Sensitive employee data such as insurance, taxpayer and payroll information
  • Information on the company’s safety precautions
  • Information on each employee’s health and safety
  • Files with data related to the recruitment and training of future employees

The standard kiosk contains:

  • Specialized point-of-sale applications which collect data on each purchase made

 

Section I: Pre-Assessment

Whilst assessing the company’s elements, the following hazards would be included:

  • As with most companies, especially those in the Caribbean, natural disasters play a huge threat to productivity. Disasters such as earthquakes and hurricanes can leave businesses devastated with all their documents and resources destroyed.
  • Hardware theft can compromise the security of the sensitive information being stored.
  • An unsecured WIFI network would leave the firm open to multiple types of attacks.
  • There is a chance for unsuspecting employees to introduce viruses to the company’s network due to the modern age of sophisticated malicious code.
  • The employees, themselves, may pose as hazards depending on the restrictions that exist within the company.

 

Section II: Assessment

When evaluating the company’s risks, a helpful tool to implement is The Risk Impact/Probability Chart. This chart is based on a principle which states that risk is governed by two dimensions, probability and impact.

Each corner of the graph shows an Impact/Probability extreme. This creates a space which helps the analyst identify how severe a risk might be. The classes of severity range from Low-Level to Critical risks.

  1. Low Impact/Low Probability – risks in the bottom left corner are low level. You can usually ignore them.
  2. Low Impact/High Probability – risks in the top left corner are moderate level. This section consists of things that happen often. The firm has a high probability of rebuilding at this level, but you should still prevent the likelihood of this becoming a habit.
  3. High Impact/Low Probability – risks in the bottom right corner are high level, but they rarely happen. Despite the low occurrence, the company should still make preparations for such an event.
  4. High Impact/High Probability – risks in the top right corner are critical level. Businesses should pay close attention to these types of risks and prevention should be of high importance.

So now we assess the risks we found in Section I:

*Natural disasters depend on the company’s geographical location. For the case study, we’ll use Jamaica.

  • Common natural disasters in the Caribbean are earthquakes and hurricanes. The most common disaster in Jamaica is the hurricane, which has an impact that ranges from low to critical. So the buildings which hold all the company’s hardware/software should be storm and flood-proof.
  • Hardware theft has become common in Jamaica, so the occurrence could be placed at the medium level. The possible impact would vary based on the hardware which was taken. You could place that in the medium to critical level. Physical security measures could reduce the probability of theft, along with the monitoring of staff.
  • An unsecure WiFi router leaves the company open to multiple types of threats such as Denial of Service (DoS) and Evil Twins. These types of hazards are capable of crippling a company. They belong in the high impact category. Due to the recent rise of technology culture in the country, the occurrence would range from medium to high. As a result, Deidre should look into methods of securing her routers.
  • The possibility of employees placing a virus into the network is rather high, and the risk increases as the labour force becomes larger. A matter like this should be of high priority as the culprit could have done it while they were unaware. Ms. Green should ensure that all the workstations and kiosks have antivirus software. She should also use firewall technology on her network as well.

 

Section III: Post-Assessment

It is clear that some things are missing from Deidre’s operational structure. The company would be putting itself at risk if day to day operations were to continue at this level.

Despite the circumstances, Deidre can still save her business. A software based approach to tackling Ms. Green’s woes would be the implementation of an Endpoint Protection Platform (EPP).

An EPP is an application which enables cross-platform functionality and provides anti-virus, firewalls and anti-spyware, amongst other forms of intrusion prevention. The term ‘cross-platform’ speaks to an EPP’s ability to provide network security for multiple operating systems. Deidre and her team would be more at ease knowing that their documents are secure within their own network.

Fundamental features in an Endpoint Protection Platform include:

Firewalls – system protection from unauthorized access

Real-Time Protection – software used to analyze the behaviour of applications in an effort to detect and prevent unknown malware.

Intrusion Prevention –  monitors the network for suspicious traffic and activity.

Currently, there are many EPPs on the market; each claiming to be better than the other. So in order to gain an objective view, an investigation was setup to determine the effectiveness of each EPP from a set of market leaders.

Endpoint Protection Platform (EPP) Market Leaders:

  • Sophos
  • Symantec
  • Kaspersky Lab
  • Trend Micro

 

Sophos

 

Sophos is the most peculiar company of the bunch as it was made to be sold to small businesses. It does well with those buyers who want simple administration services along with a unified approach to endpoint security.

Pros:

  • Great integration across multiple platforms.
  • The release of new features, such as Malicious Traffic Detection, makes Sophos one of the more innovative companies on the market.
  • Sophos’ management interface was designed for ease of use.
  • Their application suite includes integrated mobile device support.

Cons:

  • Sophos’ simplistic management console could pose a problem for larger organizations seeking more complex control and reporting.
  • Their malware test results are described as ‘average’ and can be improved upon

 

Symantec

Symantec is one of the most popular names in cybersecurity, and is the market share leader when it comes to Endpoint Protection Platforms. However, the company has been suffering from a history of lengthy corporate strategies. Despite these facts, Symantec still manages to provide solid anti-malware endpoint protection.

Pros:

  • Symantec’s constant re-invention has resulted in the company being able to offer many defense mechanisms to their clients.

Cons:

  • Symantec’s mobile security is not integrated into their endpoint protection
  • Symantec does not offer much application control besides an administrator-defined lockdown.

 

Kaspersky Lab

Kaspersky’s brand and market share have grown rapidly over recent years. The company’s known for their effective security suite, which includes application control and virtual server support. All these features, plus good malware detection, make Kaspersky a good choice for any organization.

Pros:

  • Kaspersky’s malware detection has a reputation for being very accurate.
  • The user is given a wide array of management tools for them to use at their disposal.
  • Centrally managed file and full disk encryption are integrated into the endpoint. protection system, along with preboot authentication for hard drives and removable storage.

Cons:

  • Kaspersky’s complex management console might become daunting for those managers who are less technically inclined.
  • Kaspersky’s doesn’t offer certain additional features such as malware investigation and sandboxing.

 

Trend Micro

 

 

 

 

Trend Micro has become the third-largest EPP, with the largest installs worldwide. The company pays special attention to data centre protection with Deep Security, a product which provides automated cloud security.  Investments in the areas of application control and malware sandboxing, amongst other development processes, have made Trend Micro a fine candidate for many buyers.

Pros:

  • Trend Micro’s investment into future applications is a sign more effective protection from the brand.
  • Most of their security solutions are very detailed.
  • ‘Worry-Free Business Security’ provides protection cross-platform as a cloud service.
  • Their products make it possible to secure cloud-based environments such as Amazon Web Services

Cons:

  • The management interface could be improved to enhance the presentation of visual data.
  • There have been some integration problems between Trend Micro applications in the past.

 

For Deidre’s purposes, an endpoint protection platform like Sophos would serve well. This alternative’s ease of use and seamless integration are just a few aspects which Sophos an edge over their competition. This simple approach that the system takes would make it easy to train existing and potential staff. As a result, the implementation phase of the endpoint protection software should be rather painless. All the staff’s documents and devices within the network will get adequate protection. Even data transfer with the Sophos system is encrypted.

Full benefits of the Sophos System

  • Endpoint Security– outfits an endpoint with features such as antivirus, intrusion prevention and malicious traffic detection. This aspect should prevent virus infection and intrusion. Deidre would now be able to safeguard her business from unsafe websites, applications and devices.
  • Mobile Security– gives Deidre the power to manage and safeguard all the mobile devices attached to her business and is available for iOS, Android or Windows Phone systems.
  • Data Protection and Encryption– with the Sophos system, data can be securely stored and exchanged across operating systems with little to no hassle. Even if a file was to end up in unauthorized hands, it would still be illegible as Sophos SafeGuard automatically encrypts file; whether it’s to a cloud server, removable storage, or another user.
  • Sophos Cloud– is Sophos’ way of allowing administrators, like Deidre, to manage all the endpoints and mobile devices of her organization. All of this is done in one unified cloud console, allowing Deidre or any person of authority to easily monitor the company’s devices and security threats from almost anywhere.

With the Sophos system, Ms. Green and her team should be able to enjoy profits with some peace of mind.


 

 

For more information on risk management:MindTools: Risk Impact/Probability Chart

Leave a Reply

Your email address will not be published. Required fields are marked *