Myth-busting: Why risk assessments shouldn’t be a one-time thing

We’re kicking off a new series of blogs tackling some of the biggest misconceptions around risk assessments, information security, data protection, regulatory compliance, and other issues that our customers are grappling with.

 Today’s theme is one that comes up time and time again: “I’ve completed my risk assessment for this year, so I don’t need to worry about it for another 12 months.” Or: “I completed a risk assessment a few years ago, so I’m all sorted, right?”

In fact, this static, one-time approach to information risk assessments – whether ‘one time’ means once a year or genuinely one time only – is extremely risky for your organisation. Here’s why.

The threat landscape is dynamic…

The threats to the security of your organisation’s data are constantly evolving – and evolving in multiple directions.

There’s the age-old risk of cyber crime. Threat actors are constantly developing new tools and techniques for targeting organisations’ information. New types of malware and social engineering techniques are being discovered, and the security industry is in a constant race to keep up.

But there are other threats to consider too, such as accidental loss or corruption of your information due to new stakeholders having access to it, and failure to comply with relevant legislation and compliance frameworks as the regulatory landscape changes or you expand into new markets.

 … and so is your IT infrastructure…

On top of this, in an era of IoT (Internet of Things), Cloud computing, 5G, big data, artificial intelligence, augmented reality and countless other technological innovations, the chances are your IT infrastructure is dynamic too.

The typical enterprise network undergoes numerous changes every day, as devices, applications and users are added, amended and removed. Workloads are migrated to the Cloud, datasets are moved from place to place, analysed and harnessed in different ways, and so on.

In short, the best way of characterising both the state of your IT environment and the threats that it faces is as a state of constant flux.

 … so your approach to risk should be dynamic too

Achieving a reliable and robust approach to data protection and risk management in this dynamic landscape requires an equally dynamic approach to information risk assessments. Completing the risk assessment exercise and then leaving it to sit statically while both your IT infrastructure and the threats to your data undergo myriad evolutions is a recipe for, if not disaster, then a rapidly out-of-date assessment. Weaknesses in your overall posture could easily open up and go unnoticed for weeks or months while you wait for the next risk assessment to roll round.

Furthermore, the rise of Cloud computing means that it has never been easier to take an ongoing and iterative approach to information risk. vsRisk Cloud is designed to help you conduct reliable risk assessments time after time, and when combined with tools such as Compliance Manager and the Data Flow Mapping Tool, they give a truly dynamic, real-time picture of how information is flowing throughout your organisation.

A dynamic approach to information risk is the only option for savvy organisations – and it is easier than you think.

 



*** This is a Security Bloggers Network syndicated blog from Vigilant Software Blog authored by Nicholas King. Read the original post at: https://www.vigilantsoftware.co.uk/blog/myth-busting-why-risk-assessments-shouldnt-be-a-one-time-thing