Every vendor involved in security talks about risk. But risk as a concept is tough to grasp – it just means something bad can happen to your organization, not that it will necessarily happen. Somehow, you’re supposed to equate the presence of some level of risk with an equal level or priority within IT. Often, risk (and the needed response) can be obvious. For example, if you’re being hit with ransomware via unpatched Flash, guess what you’re going to be doing next? In that case, the risk was high should you do nothing. So the prioritization of your time is simple to deduce.
Unfortunately, most of the time risk simply isn’t that obvious. It’s more about a threat potential than an actual occurring event. What is helpful to IT is an ability to quantify just how much risk we are talking about. Once you have an idea of what the potential risk is in tangible terms, then, and only then, can you truly begin to prioritize your actions.
One solid way is to understand risk at to look at it in terms of the actual dollar cost. In simple terms, you don’t just want to know you have “x amount of risk” – which effectively means nothing without a point of reference – you want to know you have a specific risk cost tied directly to information, assets, the state of security measures, etc. from within your organization.
Put another way, if you know your roof needs repairing, your pipes need fixing and the AC needs to have some Freon added, there a risk associated with not addressing these needs. When you realize the cost associated with not doing these tasks – such as if you don’t fix the roof, you’ll have leaks into the house that will cost you thousands instead of just patching the roof for $250 – you have much more context around the actual risk.And an idea of what the cost of that risk is should you choose to do nothing.
So, how do you calculate the dollar cost of risk for your organization?
Let’s look at it the same way MAX Risk Intelligence does.
You begin with the foundation of trusted industry data – Ponemon’s annual Cost of a Data Breach report (download the 2016 report here), Verizon’s annual Data Breach Investigations Report (download the 2016 report here) and recent claim data from the Insurance Institute of America. These reports help paint a picture of what each type of data would cost your organization were it to be involved in a data breach. For example, a certain piece of data might cost your organization $150 per record, based on industry data – it all depends on factors like the data type in question (e.g. credit card, health record, etc.), the industry sector you’re operating in and your location in the world.
Built on that foundation is the ability to look for sensitive data lying unprotected on endpoints within your organization. While sensitive data is normally found centrally on servers as part of an application database (HR, CRM, etc.), many organizations have more sensitive data stored on endpoints than they realize. A scan for various data formats (e.g. ###-##-#### for a social security number) across all your endpoints would yield every machine that has data stored on it. Tying those to a specific cost per record, makes it relatively straight-forward to calculate the potential risk in the form of liability should those records be compromised.
But you can’t stop there. Let’s say a machine has 1,000 records on it. That doesn’t mean it will specifically be involved in a data breach. So you can’t necessarily say every record found on every machine will be involved either. To assess the risk level of a given endpoint, the degree of vulnerability (in the form of checking to see if a machine is patched for known vulnerabilities) must be assessed, with a risk score – in this case the National Institute of Standards and Technologies’ Common Vulnerability Scoring System (CVSS) – applied to the endpoint. Even machines with zero records still need to be assessed, as unprotected endpoints can act as footholds for external attackers working to penetrate an organization looking for valuable data.
So the formula is simple:
Number of unprotected records x cost per record x CVSS Score
The challenge in calculating risk is the ability to put it all together – centrally scanning endpoints for sensitive data across your network, associating those data types to current industry data to reflect your true cost and then aligning each instance of sensitive data with a vulnerability score of the machine it’s on.
The final result looks something like this.
In this case, you can see the counts of unprotected data based on the various types of information using the scale at the left of the chart (for example, there are 11 Visa card numbers), along with a per-type calculated risk cost using the scale at the right (putting the risk cost of those Visa card numbers somewhere between $2,000 and $3,000), and the total potential risk liability at the far right (calculated by totaling the risk costs and applying the CVSS) for a given endpoint.
Without knowing just how much is at risk (from both “what’s exposed” and “how exposed are we” standpoints), you can’t establish how much of a priority to place on specific security concerns. Sure, you know that not all your machines are patched, and that there will be some amount of sensitive data out there on your network, but without correlating the two, you’ll probably think your network is OK, and that no response is needed.
Putting a dollar cost on your risk gives you perspective on the problem – where to focus and how much to focus. Using a solution like MAX Risk Intelligence, you can quickly ascertain the cost of your risk and where that risk exists within your organization.
In my next blog, I’ll continue on the topic of risk but talking about what actions SMBs should take with this information.
To find out more about MAX Risk Intelligence or to sign up for a trial, click here.