5 Reasons Risk Assessments Are Now More Important Than Ever

There are all sorts of tasks organizations know they should do to protect sensitive data, but that somehow fails to rise to the top of the list of priorities. All too often, one of the tasks that falls through the cracks is a thorough risk assessment to evaluate everything from the IT architecture to data access policies and incident response plans.

It was never a good idea for organizations to put off their risk assessments, but these days there are at least five good reasons risk assessments are more important than ever—and should be prioritized accordingly.

Ransomware 101 eBook: What to Do When Your Data is Held Hostage

1. Compliance is becoming more complicated

One of the main reasons to conduct a risk assessment—and to repeat it on a regular basis—is to ensure that your organization is in full compliance with all state and federal regulations regarding, among other things, how to handle private and sensitive information.

Regulations keep changing and in some cases are becoming even more difficult to keep track. For instance, 40 states now require a risk of harm analysis to assess whether any given incident requires a breach notification to affected individuals. Each state requirement is unique and some have changed in recent years, so organizations have to incorporate those changes in their incident response plans—which should be evaluated as part of the overall risk assessment.

2. Consumer expectations are higher than ever

Despite ongoing reports of consumers’ so-called “data breach fatigue,” the fact is that consumers continue to expect data privacy and security from the organizations with which they interact. As a survey by EMC showed, 77 percent of consumers also believe it is very important or important that service providers “promptly notify” them when their personal data is lost or stolen.

Again, as part of a thorough risk assessment, organizations should establish incident response plans so they’re ready to respond quickly when a data breach occurs. By planning ahead, organizations can limit the financial impact and the reputational damage that goes with them.

3. Risk assessments are your first line of defense

When done right, risk assessments are your first line of defense in preventing data breaches. By identifying potential weaknesses in security controls, data access policies, and other areas, organizations can identify incidents earlier and potentially prevent some data breaches from occurring.

Risk assessments are especially important following mergers and acquisitions, which create a new, combined entity with its own set of IT, regulatory, and other challenges. Even less significant organizational changes—such as production of a different product, addition of new services, or expansion into another industry—require risk assessments to ensure that every element of the organization remains secure.

If this seems like a lot of work, note that avoiding even one data breach could save the organization tens of thousands of dollars, more than mitigating the cost of the risk assessments.

4. Judgment calls are not good enough

Incident response plans should include a thorough risk of harm analysis to determine whether the incident rises to the level of a data breach. Unfortunately, some organizations lack the expertise, experience or tools to perform proper risk of harm analyses, so instead they make repeated judgment calls.

Basing important business decisions on flimsy evidence or daily whims was never a good idea, but it’s an especially bad idea now, when government scrutiny is particularly intense and customer expectations have never been higher.

The HITECH Act’s four-factor analysis provides a good starting point for any organization, in healthcare or other fields (where protected data of any sort can be substituted for protected health information). As part of the risk assessment process, make sure that every incident will be evaluated across at least these four factors:

• The nature and extent of the protected health information (PHI) involved
• The identity of the unauthorized person who impermissibly used the PHI or to whom the impermissible disclosure was made
• Whether the PHI was actually acquired or viewed, or whether only the opportunity to do so existed
• The extent to which the risk to the PHI has been mitigated

5. More incidents of more kinds, involving more data, are likely

In 2015, there were more reported data breach incidents than in any year prior, and it’s likely that another unfortunate record will be set in 2016. In addition, we are seeing more refined versions of “old” forms of attack like spear-phishing as well as entirely new forms of attack, such as ransomware, perpetrated by increasingly well-financed hackers.

Another issue that should concern any organization that handles healthcare data is the rapid rise in medical identity fraud. The Fifth Annual Study on Medical Identity Theft found that this form of fraud nearly doubled from 1.4 million adult victims in 2010 to over 2.3 million in 2014.

Through regular risk assessments, organizations can make sure they are properly defended against new and emerging threats and have the right policies and procedures in place to respond promptly when and if breaches occur.

Is Your Risk Assessment Process Good Enough?

Most organizations know that risk assessments are necessary, but many still do not implement sufficiently stringent and thorough risk assessment processes. Imagine the public response options for such organizations when a breach happens:

• “Sorry, we didn’t have a good understanding of all our risks.”
• “Sorry, we made a judgment call that didn’t work out.”
• “Sorry, we were doing just enough to be compliant and apparently it wasn’t quite enough.”
• “Sorry, we just now discovered this incident, which occurred two years ago…”

To avoid those nightmare public relations scenarios, organizations would be wise to move regular risk assessments to the top of their list of priorities.

Ransomware 101 eBook: What to Do When Your Data is Held Hostage