1
00:00:00,000 --> 00:00:05,520
Welcome to today's Tech for Business podcast.

2
00:00:05,520 --> 00:00:08,920
I am Kelsey, a member of our marketing team sitting down with Matthew,

3
00:00:08,920 --> 00:00:11,320
our GRC analyst and VC so.

4
00:00:11,320 --> 00:00:15,560
Today we're asking at the very burning questions all about risk assessments.

5
00:00:15,560 --> 00:00:19,880
We're going to kick it off right away with what is a risk assessment?

6
00:00:19,880 --> 00:00:25,200
A risk assessment is the most fun you can have in the cybersecurity space.

7
00:00:25,200 --> 00:00:33,640
The short version is it's a evaluation of your organization from a what could

8
00:00:33,640 --> 00:00:38,600
possibly go wrong paranoid scenario, which is for those of you who've listened to

9
00:00:38,600 --> 00:00:43,080
the other podcasts, the reason that I was brought in for this one because I'm the

10
00:00:43,080 --> 00:00:44,240
paranoid one.

11
00:00:44,240 --> 00:00:48,400
So really what you're trying to do is you're trying to come up with every

12
00:00:48,400 --> 00:00:55,120
scenario that could feasibly impact your business and list them in the

13
00:00:55,120 --> 00:00:55,760
short version.

14
00:00:55,760 --> 00:00:58,400
It's just listing them one after the other.

15
00:00:58,400 --> 00:01:01,160
Nice, making us to do list, but a scary to do list.

16
00:01:01,160 --> 00:01:02,960
A scary to do list, yeah, exactly.

17
00:01:02,960 --> 00:01:03,800
Nice.

18
00:01:03,800 --> 00:01:07,720
So then who needs to make the to do list?

19
00:01:07,720 --> 00:01:10,440
Again, short answer everyone.

20
00:01:10,440 --> 00:01:14,480
If you run a business, heck, even at home, I mean, we do these types of things

21
00:01:14,480 --> 00:01:16,800
without thinking every day.

22
00:01:16,800 --> 00:01:19,640
Most of the time people have something like this in their head.

23
00:01:19,640 --> 00:01:23,480
If you've put security cameras up at home, it's because you believe there is a

24
00:01:23,480 --> 00:01:25,720
risk and you want to be able to track that.

25
00:01:25,720 --> 00:01:27,840
You've got locks on your doors.

26
00:01:27,840 --> 00:01:30,680
That's part of a risk assessment saying you don't want someone to be able to get

27
00:01:30,680 --> 00:01:31,600
in.

28
00:01:31,600 --> 00:01:34,920
We're doing the same thing at that cyber security level.

29
00:01:34,920 --> 00:01:38,920
So do you have all the things in place that you need to?

30
00:01:38,920 --> 00:01:42,680
A risk assessment some kind of covers things like mitigations as well, which

31
00:01:42,680 --> 00:01:44,840
we'll get into later.

32
00:01:44,840 --> 00:01:47,520
But because of that, everyone needs one.

33
00:01:47,520 --> 00:01:51,240
And even if you aren't really aware that you're doing it, you're probably doing

34
00:01:51,240 --> 00:01:53,400
some things already, so why not document them?

35
00:01:53,400 --> 00:01:56,080
Why not better track that?

36
00:01:56,080 --> 00:01:58,800
What you're saying that everybody needs to document what they do?

37
00:01:58,800 --> 00:01:59,880
Yes.

38
00:01:59,880 --> 00:02:01,920
Mind blowing.

39
00:02:01,920 --> 00:02:05,880
So then why are risk assessments done?

40
00:02:05,880 --> 00:02:10,080
So there's a bunch of reasons why they're done.

41
00:02:10,080 --> 00:02:15,800
The primary one is because I'd like to say it's because people really get into it

42
00:02:15,800 --> 00:02:17,040
and they want to get this information down.

43
00:02:17,040 --> 00:02:20,680
But I do think the primary reason people do them is because of their

44
00:02:20,680 --> 00:02:26,760
GRC requirements, whether it's an order from on high, from the executives,

45
00:02:26,760 --> 00:02:29,720
whether it's something to do with their compliance requirements, maybe there's a

46
00:02:29,720 --> 00:02:37,320
NIST requirement, a CMMC, FFIDC, a lot of different industries, banking especially,

47
00:02:37,320 --> 00:02:43,880
have the very about how often they have to do a risk assessment as well as what

48
00:02:43,880 --> 00:02:47,360
the risk assessment has to include.

49
00:02:47,360 --> 00:02:50,320
So they're generally done for a compliance reason.

50
00:02:50,320 --> 00:02:53,320
I would like to say that they're done because it helps people sleep at night

51
00:02:53,320 --> 00:02:56,680
because that's why I like doing them.

52
00:02:56,680 --> 00:02:59,280
I like having all of that available.

53
00:02:59,280 --> 00:03:03,640
And once you have that listed down, you can see it.

54
00:03:03,640 --> 00:03:09,320
You have a better view of your entire situation.

55
00:03:09,320 --> 00:03:10,000
Makes sense.

56
00:03:10,000 --> 00:03:11,880
So then when should they be done?

57
00:03:11,880 --> 00:03:16,440
Only when the people tell you to or are you saying all the time?

58
00:03:16,440 --> 00:03:20,000
So when the people tell you to, they'll tell you generally that there is a

59
00:03:20,000 --> 00:03:22,240
recurring requirement.

60
00:03:22,240 --> 00:03:23,680
In some cases, that's yearly.

61
00:03:23,680 --> 00:03:25,160
In some cases, it's quarterly.

62
00:03:25,160 --> 00:03:27,040
Personally, I believe it should be continuously.

63
00:03:27,040 --> 00:03:28,440
It should be a living document.

64
00:03:28,440 --> 00:03:34,120
And in much the same way as some of us may keep a grocery list, you should have

65
00:03:34,120 --> 00:03:37,320
this document just radiate your fingertips to be like, oh, I wonder if this

66
00:03:37,320 --> 00:03:38,280
could happen to us.

67
00:03:38,280 --> 00:03:42,000
And then you throw it on the risk assessment for us, for the team or yourself

68
00:03:42,000 --> 00:03:45,960
to do a follow up on it and kind of dig in deeper to what it is.

69
00:03:45,960 --> 00:03:51,920
There's a saying that I think of with this that is most often the best time

70
00:03:51,920 --> 00:03:56,360
of planetary is 20 years ago, but the second best time is today.

71
00:03:56,360 --> 00:04:01,160
And that's when it comes to the cyber security side of things, that feels very

72
00:04:01,160 --> 00:04:06,040
relevant to me because there is so much of this that I think as an industry, we

73
00:04:06,040 --> 00:04:09,280
should have been pushing and really, really building towards back in the

74
00:04:09,280 --> 00:04:12,200
early 2000s that we want.

75
00:04:12,200 --> 00:04:18,040
And so a lot of people can feel like this is a thoroughly overwhelming thing.

76
00:04:18,040 --> 00:04:21,560
But just starting it, just getting a couple of things down, having anything at

77
00:04:21,560 --> 00:04:26,240
all is a great start.

78
00:04:26,240 --> 00:04:29,720
And if you don't have it already, you should be doing it this minute.

79
00:04:29,720 --> 00:04:30,440
Pause this.

80
00:04:30,440 --> 00:04:32,800
Go start it.

81
00:04:32,800 --> 00:04:34,200
Pause the super short podcast.

82
00:04:34,200 --> 00:04:34,640
Go start.

83
00:04:34,640 --> 00:04:36,440
Or just walk away with your phone.

84
00:04:36,440 --> 00:04:36,920
100%.

85
00:04:36,920 --> 00:04:38,520
Yeah, that works too.

86
00:04:38,520 --> 00:04:39,400
Either one.

87
00:04:39,400 --> 00:04:43,600
And so then finally, how is a risk assessment done?

88
00:04:43,600 --> 00:04:46,720
So if you just paused and came back to this after filling it out and now have

89
00:04:46,720 --> 00:04:49,960
to figure out how to do it, my bad.

90
00:04:49,960 --> 00:04:53,440
However, there's generally two different ways of doing it.

91
00:04:53,440 --> 00:04:56,320
And these come from, I mean, there's multiple different ways of doing it.

92
00:04:56,320 --> 00:04:57,520
There's no right way or wrong way.

93
00:04:57,520 --> 00:04:59,640
It's about what works the best for you.

94
00:04:59,640 --> 00:05:02,840
There should be also probably multiple people or there probably will be

95
00:05:02,840 --> 00:05:06,080
multiple people in the organization who want to do it different ways.

96
00:05:06,080 --> 00:05:07,920
There's no right way or wrong way.

97
00:05:07,920 --> 00:05:13,200
Just make sure everyone's getting it done in a way that you're not doing it twice.

98
00:05:13,200 --> 00:05:17,400
So the two ways I tend to think about it are top down or bottom up.

99
00:05:17,400 --> 00:05:21,080
And that's based on what view of the organization you have.

100
00:05:21,080 --> 00:05:25,280
So generally when I'm talking with people who are in executive or leadership

101
00:05:25,280 --> 00:05:28,360
positions, they'll want to do it from a top down perspective.

102
00:05:28,360 --> 00:05:31,960
They'll want to say what things can impact the business.

103
00:05:31,960 --> 00:05:36,360
At such a high level that it could break us.

104
00:05:36,360 --> 00:05:41,280
So if you're doing that, we're talking about generally environmental things.

105
00:05:41,280 --> 00:05:46,160
We're talking about what happens if, say, the building is unavailable.

106
00:05:46,160 --> 00:05:47,360
Or are you going to go next?

107
00:05:47,360 --> 00:05:49,360
Do you have a secondary location set up?

108
00:05:49,360 --> 00:05:51,600
Can everyone work from home?

109
00:05:51,600 --> 00:05:56,080
Those types of risks are a top down risk because they don't really require anything

110
00:05:56,080 --> 00:06:00,320
on the business side of things, on the technical side of things to be looked at.

111
00:06:00,320 --> 00:06:05,400
You're talking purely about what would impact businesses as a whole.

112
00:06:05,400 --> 00:06:08,360
The bottom upside of things is the inverse of that.

113
00:06:08,360 --> 00:06:11,880
So we start with where is our data located?

114
00:06:11,880 --> 00:06:19,160
What happens if that asset, say it's a server, goes fully offline?

115
00:06:19,160 --> 00:06:19,880
What can we do?

116
00:06:22,960 --> 00:06:27,880
In those cases, this is when I mentioned before we start talking about mitigation.

117
00:06:27,880 --> 00:06:31,720
When you do a bottom up one, you'll often find that there are things in place already

118
00:06:31,720 --> 00:06:33,160
to fix that.

119
00:06:33,160 --> 00:06:39,760
Maybe you're doing things like you have secondary servers in place, high availability,

120
00:06:39,760 --> 00:06:44,600
which means that if one server goes down, another one spins up very quickly to take over.

121
00:06:44,600 --> 00:06:49,160
This can result in little to no downtime from an end user perspective.

122
00:06:49,160 --> 00:06:52,280
Those types of things are mitigations on risks you find.

123
00:06:52,280 --> 00:06:53,520
You should document all of this.

124
00:06:53,520 --> 00:06:57,160
Even if you've mitigated already, you need to make sure that you've listed this is why we did it.

125
00:06:57,160 --> 00:07:00,760
And I said earlier there are times when you'll find you're doing it without thinking.

126
00:07:00,760 --> 00:07:02,280
And that's what this is.

127
00:07:02,280 --> 00:07:04,840
Maybe you've got three or four copies of your backups.

128
00:07:04,840 --> 00:07:10,920
That is you mitigating a risk of what happens if you lose your backups.

129
00:07:10,920 --> 00:07:16,360
So when you're doing it from these two directions, you come from very different mindsets.

130
00:07:16,360 --> 00:07:21,480
And starting from one versus the other is what's going to help you really get as much as possible

131
00:07:21,480 --> 00:07:27,240
because you don't want just one person coming in with one mindset of what a risk is and then

132
00:07:27,240 --> 00:07:28,280
working to that.

133
00:07:28,280 --> 00:07:30,440
You want to come up with as many as you can.

134
00:07:30,440 --> 00:07:33,640
You also really want to dig into things that you don't want to think about.

135
00:07:33,640 --> 00:07:38,360
If you find yourself trying to avoid a topic, dig into it deeper.

136
00:07:38,360 --> 00:07:43,000
A lot of people don't like to or don't want to think about insider threats.

137
00:07:43,000 --> 00:07:53,400
Insider threats in some, sorry, malicious threats, depending on what your terminology here,

138
00:07:53,400 --> 00:07:57,240
account for up to a fifth of all attacks across some industries.

139
00:07:57,240 --> 00:08:02,440
So make sure you're not just saying what happens if something that we are outside of our control

140
00:08:02,440 --> 00:08:06,920
happens like a server goes down or we lose internet for an hour.

141
00:08:06,920 --> 00:08:13,800
Think about things of what happens if there's someone who's maybe unhappy is actively selling

142
00:08:13,800 --> 00:08:14,360
credentials.

143
00:08:16,040 --> 00:08:18,040
There is a lot of different things that can happen.

144
00:08:18,600 --> 00:08:23,640
And the more thorough you are filling this document out, the better plan you're going to have going

145
00:08:23,640 --> 00:08:25,320
forward to try and resolve them.

146
00:08:25,320 --> 00:08:28,680
So once you fill that all those, do some research.

147
00:08:28,680 --> 00:08:29,880
See what you have in place.

148
00:08:29,880 --> 00:08:31,720
Find what your mitigating items are.

149
00:08:31,720 --> 00:08:36,280
And at the end, you'll basically say, here's what we have.

150
00:08:36,280 --> 00:08:37,880
Here's what we're afraid of happening.

151
00:08:37,880 --> 00:08:40,200
And here's what we've done to try and fix it already.

152
00:08:40,200 --> 00:08:42,520
I am really speeding through this.

153
00:08:42,520 --> 00:08:44,280
There's a bunch of different ways to do it.

154
00:08:44,280 --> 00:08:47,320
But if you do have any questions, please reach out.

155
00:08:47,320 --> 00:08:52,920
And once you've done it all, you'll be able to say, we're comfortable with this risk with the

156
00:08:52,920 --> 00:08:57,720
things we've done to mitigate it, or we aren't comfortable, at which point you can say, then

157
00:08:57,720 --> 00:08:58,520
we need to do more.

158
00:08:59,720 --> 00:09:00,920
Or we're okay with that.

159
00:09:00,920 --> 00:09:03,080
And you end up with a list of things you have done.

160
00:09:04,200 --> 00:09:06,200
You end up with a list of things you want to do more on.

161
00:09:06,760 --> 00:09:11,960
And as you get that list, you can start prioritizing how critical those items are to you.

162
00:09:14,920 --> 00:09:16,520
A risk assessment is basically that.

163
00:09:16,520 --> 00:09:22,520
Overarchingly, more than anything else, it is a evaluation of things that can be done.

164
00:09:22,520 --> 00:09:26,840
Things that can happen to your organization that you are comfortable or uncomfortable with

165
00:09:26,840 --> 00:09:29,480
where you currently sit in opposing that.

166
00:09:30,200 --> 00:09:37,640
And until you've got the full list in place as much as you can and really evaluate what's in place,

167
00:09:38,600 --> 00:09:40,040
you're not going to be able to answer that question.

168
00:09:41,080 --> 00:09:45,560
Ignorance is not bliss, especially not when it comes to things that you can't control.

169
00:09:46,200 --> 00:09:49,160
And a risk assessment tries to cover as much of that as possible.

170
00:09:49,160 --> 00:09:52,680
You wrapped it up perfectly, right?

171
00:09:52,680 --> 00:09:54,440
When you were like, contact us for more permission.

172
00:09:54,440 --> 00:09:56,440
I was like, yeah, you can just do marketing's job.

173
00:09:56,440 --> 00:10:00,760
But thank you so much for sitting down today answering the very high level.

174
00:10:01,320 --> 00:10:04,280
As you alluded to, if anybody listening has any questions at all,

175
00:10:04,280 --> 00:10:07,240
we are here to help even if you're not located nearby.

176
00:10:07,240 --> 00:10:08,440
We'd still love to chat with you.

177
00:10:08,440 --> 00:10:11,720
Reach out to us at info at cit-net.com.

178
00:10:11,720 --> 00:10:16,760
Or you can head out to our website, cit-net.com, backslash podcast.

179
00:10:16,760 --> 00:10:23,320
Thanks again. We'll be back next week with another episode.