Risk Evaluation Matrix | Assessment and Analysis
As a managed service provider (MSP) entrusted with securing your client's information systems, it’s up to you to catch and fix every single vulnerability. Otherwise, your clients can fall victim to their own network and data storage weaknesses. Likewise, it is valuable to understand the infrastructure and flaws of prospects in order to determine which services would be the best fit.
An IT risk evaluation matrix can help MSPs optimize their client's overall security position by viewing IT systems from the viewpoint of an attacker. If done right, the matrix can alleviate and even avoid data breaches and the severe consequences that accompany them. While risk assessments differ with each client, one thing remains constant: MSPs need the right tool to comprehensively assess risk.
Your Clients Need Risk Assessment
Now is the perfect time to reach out to your clients about risk evaluations. To make an even more compelling case, share the following statistics with them:
The Ponemon Institute conducted a study in 2016 in which they surveyed 383 companies to asses the financial risk and impact of data breaches. According to their research, they found that the current average total cost of data breaches is $4 million, with the average cost of recovering lost or stolen information through a data breach reaching $158 per record. Of the companies surveyed, the Institute estimates a 26% chance that a large-scale data breach will occur in the coming 24 months.
Factors to Consider in a Risk Evaluation
Risks are evaluated based on their probability and impact. Which risks rank high or low in terms of probability and impact depend on many factors, including your client's industry, company size, information systems, network infrastructure, computing environment, risk policies, procedures and employees. Some organizations, by nature, can tolerate more risk than others.
Sharing these factors with your clients can increase awareness, visibility and priority of risks within an evaluation matrix. Sound decisions about certain risks can then be rendered in context, and the appropriate course of action can be taken based on how harmful the risks are, what individuals or systems they can harm, the likelihood that they will occur and the extent to which they can impact business operations.
Using a Risk Evaluation Matrix
After risks within the client organization have been ranked according to their likelihood and impact, it should be easier to discern which risks require immediate attention and which can be addressed at a later time. Risks that have a high occurrence and severe impact are the most critical and must be addressed as soon as possible so that they can be removed.
Risks that have a medium occurrence and serious impact also require immediate attention. In addition to giving thought to removing the risk, replacement strategies should also be considered. For example, if a third-party software application has a number of holes that can be breached, it may be worth considering looking for an alternative application with fewer or no holes, or jettisoning the application even if no substitute can be found in order to better secure the infrastructure. It is wise to create timelines for when these risks will be addressed.
Risks that have an irregular occurrence and medium impact do not need to be addressed immediately. MSPs can address these risks over time. Typically, these risks do not require a large number of resources tossed at them. Often, they can be resolved by working with the client to come up with careful insight and common sense solutions.
Risks that have a low or rare occurrence and minimal or minor impact can be delayed in resolution, since they typically pose little problem to business operations. However they should still be addressed at a later time to lift the security presence of the client’s information systems.
After the appropriate corrective actions have been taken, you should reassess the risk with clients to ensure it has been remediated or is at a tolerable level.
Finding the Right Risk Management Tool
While mitigating risks in client networks is important, finding the right tool to do so is critical. A key objective of a risk evaluation is to gather sufficient information about the health of a client network, so that the threats to that network can be identified. Once you start crawling and digging through all the ins and outs of a client network, however, you may find so many vulnerabilities that need to be addressed that it can be overwhelming and hard to determine which ones need to be addressed first.
After you reveal all of the vulnerabilities in a client network, the next step is to predict the likelihood of their occurrence and how big a disaster they pose to your client. In a worst case scenario, the tool should show the amount of downtime and data loss that would result if the vulnerability was exploited. You can then share this information with your client to show how the vulnerability can impact business factors such as revenue, profit, service levels and industry regulatory compliance.
If an attacker brings down your client's e-commerce website, for example, the tool should show the total cost of the breach in terms of revenue lost from missed sales transactions, missed revenue due to prolonged downtime and customer dissatisfaction with the client website being offline. The tool should also weigh these consequences according to how dire they are to the company.
MSP Risk Intelligence and Risk Evaluations With Financial Implications
SolarWinds MSP (formerly LOGICnow) provides an industry leading solution that illustrates an organizations IT risk down to the dollar. MSP Risk Intelligence provides a risk evaluation matrix, charts and other analyses of an entire network's vulnerabilities, all the way down to individual workstations.
MSP Risk Intelligence allows you to provide financial decision makers within any client organization with the hard facts regarding their potential IT risk position. By putting current and potential risks in financial terms, the prioritization and breadth of security measures can be more accurately decided upon and put into action.
Some of the features of MSP Risk Intelligence include:
- Permissions discovery
Analyze the data access permissions for every employee within an organization's network. Get granular risk management data down to users with read, write, execute and special permissions to ensure that only the required employees have appropriate access to sensitive information.
- Personally identifiable information and other protected data
MSP Risk Intelligence automatically scans for protected personal and health information in order to prevent inappropriate data access, transfer and loss. Payment information, financial information and other potentially insecure data is incredibly costly if breached or lost. Organizations also must ensure they are compliant with HIPAA or other industry regulatory measures regarding such sensitive data.
- Vulnerability scans
MSPs can evaluate their client networks to find data or network ports that are at risk of potential breach or attack. With host-based risk evaluation scans and emerging threat discovery, a careful eye can be kept on a network's security without impacting business continuity.
All of this data is made available for review through detailed risk intelligence reports, which can be exported in PDF, CSV or Excel formats for easy sharing. The reports can also be branded with company logos for use in more formal settings.
Find out how MSP Risk Intelligence can add to your services offerings as an MSP. With our risk evaluation matrix and reporting — in addition to the suite of additional tools from SolarWinds MSP — you can set yourself apart as a provider of dependable and secure services.
Ponemon Institute: www-01.ibm.com/common/ssi/cgi-bin