Most organizations spend a lot of money trying to prevent damage to information assets. Typical measures are firewalls, anti-malware, authentication, authorization … But sadly most organizations forget there are three dimensions to proper risk management:
- Prevent. Measures to prevent risks from becoming reality. This is where typically most investments are done.
- Detect. Detect, after the fact, that something damaging happened to information assets. This is not limited to mere detection but also includes determining the actual impact.
- Recover. Undo the damage that was done, ideally as if nothing happened but minimally to a level accepted by the organization. A good detection, specifically of impact, is needed to properly recover.
It is amazing how much money is spend on the first dimension and how little is spend on the other two. Yet a good information risk management consists of a good balance between all three dimensions.
- If you are not good at detecting damage to information assets, how can you know how well your prevention is performing?
- If you can detect an intrusion but you have no idea what they did, how can you recover?
Prevent, detect and recover is not limited to attacks from hackers, human or technical errors are as damaging as hackers.
Imagine you periodically receive a file from an external party, this file is to be processed and will result in updates to the database. A responsible organization will take typical measures like signing and encrypting the file, verifying it’s structure using a schema … all aimed at preventing damage. But what if the external party made an honest error and supplied you with the wrong file?
None of the earlier measures will prevent the damage to your database. Even if you can’t automatically detect this damage, perhaps you’ll have to wait for a phone call from the external party, you can take measures to recover. Database schema’s and the updates could be crafted in such a way that you can “rollback” the processing of the erroneous file.
Information risk management should not be limited to prevention, but balance it with detection and recovery. It should also give sufficient attention to risks originating from human or technical errors. In fact, most damage will come from this and not from malicious users or hackers.