A number of years ago I was engaged to undertake a preliminary PCI-DSS compliance assessment for an organisation. After a short period of time I concluded that digitally there was not a lot that needed to be done to become compliant.
On strolling around the floor however I was horrified to see, where anyone could access, a lever arch file that contained hundreds of pages documenting the personal details of people who I would have called high net worth individuals. Included in the folder were scanned images of credit cards and associated signatures. This will now have been rectified.
What I was seeing was an attitudinal failure to the the application of appropriate security protocols. The workspace was supposedly secure so therefore so was the printed data. Never mind the actual PCI-DSS requirements.
I have noticed similar attitudes in many organisations when it comes to establishing appropriate risk mitigation strategies.
It seems to be ‘If it hasn’t happened in the past why should it happen now’ or ‘Why introduce processes to make work more difficult’. Consequently little is done to manage risk.
Establishing a process to manage risk is not difficult. With a sufficient understanding of the business it should be possible to identify existing risks and those associated with future change.
Where a risk has been identified a rational decision on what to do about it should be made. The risk should be analysed. Questions such as:
- What is the likelihood of the risk occuring?
- What will be the impact be on the business if it occurs?
- What mitigating strategies can be put in place?
- What is the cost of mitigation?
The question can then be asked, ‘Should mitigation be applied?’ The question ‘Can we afford not to mitigate the risk’? should also be asked.
In the case of PCI-DSS Compliance in the above example the cost of mitigation was low. The file should not have existed. The likelihood of a security breach was deemed low but it was possible. The financial and reputational impact on the organisation in the event of a breach would have been significant. Mitigation needed to be established to both manage the risk and to achieve compliance.
I find it interesting that individuals will lay out significant sums of money in order to secure a benefit even where the likelihood of success is low. (ie buying Lotto ticket). That same individual is reluctant to invest in something that will potentially reduce the size of a possible loss.
Risks should be managed. A laissez-faire approach to business can have dire consequences.
If the risk eventuates without mitigating strategies ‘It won’t be right’ .
