THIS TEXT-ONLY VERSION HAS BEEN CREATED SPECIFICALLY FOR MAXIMUM ACCESSIBILITY AND USE WITH SCREENREADERS, THEREFORE IT CONTAINS NO FORMATTING. IF YOU WOULD LIKE TO READ A FORMATTED VERSION, VIEW THE PDF INSTEAD. RISK MANAGEMENT Statistics show that the risks to information security are very real. If a business is serious about managing information risk, the most important step it can take is to understand the risks faced. This is normally the first phase of a practice called risk management, followed by some form of risk analysis. The list of risks to information is long and varied. It includes: - Fraud - Illegal personal investigation - Industrial espionage - Terrorism - Computer viruses A risk is normally a product of threats and vulnerabilities. Vulnerabilities include: - poor website design - slack recruiting procedures - mismanaged computer systems - inadequate staff training. Threats include: - deliberate manipulation of information prior to input - impersonation of a legitimate user - wntrained staff - loss of service Prevention is better than cure! If your business is open to fraud (it may, for example, handle large sums of money), unmanaged vulnerabilities will provide the opportunity for a risk to manifest itself. The aim of risk management is to reduce such risks to an acceptable level. RISK STATISTICS The DTI Information Security Breaches Survey 2002 reveals a number of trends that require concerted attention by businesses – especially small to medium sized enterprises (SMEs). Did you know that: - 44% of UK businesses have suffered at least one malicious security breach in the last twelve months - a fifth of these companies took more than a week to recover fully from each incident - the average cost of each incident was 30,000 GBP, with some costing over 500,000 GBP - a third of these incidents were due to virus infections, despite the vast majority of companies using anti-virus software - less than 30% of all companies have made a formal commitment to address information security issues - about half of all businesses do not address Data Protection issues in accordance with the law, a situation that could lead to jail sentences. Information security is a real issue which could have an impact on you and your business. What are you doing about it? RISK ANALYSIS Risk Analysis is a formal process of determining risks and developing a plan to deal with them. A risk analysis process involves: - understanding risks to the business and how they can occur - understanding the potential cost to the business if they do occur. - identifying suitable and effective measures to: – minimise the likelihood of occurrence – prevent or detect the threat – enable appropriate recovery action to be taken Risk can be quantified in straightforward ways: - threats are identifiable and known about through research - vulnerabilities can be determined through review, testing and audit - likelihood can be determined based on statistical research The most important element in the process is that risk decisions are taken openly. Denying the presence of risk is not helpful. But trying to reduce the risk to zero is not realistic, and will normally cost more than it will save. Once a measurement of risk has been agreed, the organisation must take a view on the impact of a security event on the successful operation of the business. Once this is done, controls (also known as countermeasures) should be applied to address the risks. If you are concerned about information security risks within your own organisation, try a Health Check or, for risk information in specific areas, see our Virus Risk, Inappropriate Usage Risk, Unauthorised Access Risk, Theft Risk or Systems Failure Risk pages. ------------------------------------------------------ For more information on Achieving best practice in your business: - Visit our website at www.dti.gov.uk/bestpractice - Call us on 0870 150 2500 to order from our range of free best practice publications or visit www.dti.gov.uk/publications - Contact your local Business Link adviser by visiting the website at www.businesslink.gov.uk or calling 0845 600 9 006 Published by the Department of Trade and Industry. www.dti.gov.uk © Crown Copyright. 04/04