DefenseArk #ThreatIntelThursday | Risk Management, Due Diligence, and Due Care

Week 36: Risk Management, Due Diligence, and Due Care

This article is part of #ThreatIntelThursday @OpenAVN, an ongoing series that offers readers authoritative, but easily digestible, information about different malware, how they might be vulnerable to attacks, and what they can do to protect themselves. To read past Threat Intel Thursdays articles, click here. (We suggest starting from Week 1: Malware.)

Risk

Information security is all about risk. Risk is the combination of a threat of an event occurring and the vulnerability of an organization to that threat. The two elements of risk are the impact of an event occurring and the probability or likelihood of the occurrence. After all, the impact of an asteroid hitting planet earth is infinite because all life on the planet might end — however, the likelihood of that event occurring is extraordinarily low, as such events only occur every 30 or 60 million years. Thus, overall, the risk of an asteroid strike is relatively small.

Due Diligence

Organizations have a responsibility to learn about risks and then take the appropriate measures to reduce those risks. Learning about risks to an organization — including its assets, information and its systems — can be described by the legal term due diligence. Investopedia defines due diligence as, “investigation, audit, or review performed to confirm facts or details of a matter under consideration. In the financial world, due diligence requires an examination of financial records before entering into a proposed transaction with another party.”

Clearly, due diligence is a term used in any aspect of an organization’s operations to learn about risk. Due diligence allows an organization to understand the risk so they can take proper measures to deal with that risk.

Due Care

Having performed due diligence, once an organization understands the risks it faces, they must undertake the appropriate prudent measures, that is due care, to deal with the risk. According to the free online dictionary, due care is “the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence.” Organizations must first know what they need to know to understand risk, i.e., due diligence and then they must do what they need to do, i.e. due care.

Addressing Risk in an Organization

Once organizations understand what the risks are, they must deal with those risks by performing one or more of these actions:

1. Mitigate: To mitigate risk is to select, implement, and ensure that controls either reduce the probability or decrease the impact (or both) of a risk occurring. When it comes to digital threats to an organization, a powerful endpoint protection platform is the number one way to mitigate the risk of cyber attacks. As information security professionals, we are programmed to mitigate risk, however mitigating risk is only one of four positive ways of dealing with risk.
2. Transfer: Is having another organization take on the risk on the organization’s behalf — the classical definition of risk transference is to buy insurance. Other examples may include taking on a partner who can assume some of the risk for some sort of fee, price or benefit.
3. Accept: Sometimes mitigating a risk is either too expensive or too impractical, but the benefits of the system far outweigh the risks introduced by that system. Therefore, organizations will logically choose to accept the risk. A classic example of this for organizations is the use of the internet: certainly, enterprises would be far more secure if they didn’t have to perform operations online, but for most organizations, it is far less expensive to accept the risk of cyber attack (which, as seen above, can be mitigated in other ways) than to go offline.
4. Avoid: If the risks are too great and options to mitigate or transfer risk are either too expensive or too impractical, organizations may choose to not take on the system or project. This is known as risk avoidance.
5. Reject: This is an irresponsible and inactive way of addressing (or rather, not addressing) risk. Rejecting a risk means that the organization either ignores the risk or neglects the risk. As ignore has the same root as ignorance and neglect has the same root as negligence, neither of these <in>actions are responsible. Ignoring a risk or not knowing about a risk, would be an example of not performing due diligence; neglecting a risk or not taking measures to deal with the risk is a lack of due care.

A crucial step in digital risk mitigation is a solid and reliable endpoint protection platform. BrightScan is a cloud-based, blockchain-powered endpoint protection platform that can be customized to fit your needs and is user-friendly enough for the home office and powerful enough to protect large enterprises.

Contact our Head of Sales, Jourdan Parkinson, to schedule a free demo of our cloud-based EPP, BrightScan, or just to chat about how our products can work for you.

For more of the latest in cybersecurity, subscribe to DefenseArk’s blog right here on Medium. In addition to Threat-Intel Thursdays, we also write about breaking news, thought leadership, and deep-dives into cyber intel.

About the Author: Ted Udelson, PMP, CISSP, Security+, Network+, A+ is the chief learning officer and cofounder of Succinctive Training, LLC. Ted is also the author of “The Complete, Compact CISSP Study Program: How to Pass the Damn Exam!” Ted brings his over 35 years of experience in information security and technology to inform his writing for #threatintelthursday.