It is still recommended to use a formal risk management strategy. But given that this strategy is fairly complex, a company may well plan to proceed using a less formal method, mainly based on “quick wins” or experience and best practices.
For dealing with risk, a company will usually have the following options:
Risk management is the best way to deal with risks. Without the right tools, this strategy is unfortunately outside the scope of most organisations, for reasons of cost and complexity.
Before setting off on this road to excellence, a lot of companies prefer to opt for a more pragmatic strategy.
A company which has decided not to proceed with the risk management method can achieve a high level of security at any time if it adopts best practices relating to the various types of assets. This strategy, however, is not enough if the company has very specific needs in terms of security.
It could also prove disadvantageous in terms of costs for companies with low security requirements, as it proposes the introduction of best practices without taking into account the true needs of the company.
The adoption of best practices is recommended in the following fields:
The adoption of best practices in the following fields is also advisable:
To deal with risks, a company may therefore decide to implement a risk management process and implement best practices for the different types of assets.
Alongside these more or less exhaustive strategies, which all focus on the protection of different important and vital assets of the company, each company could start thinking about threats and vulnerabilities. This approach is not exhaustive and should not be deemed to be sufficient, as it does not focus on the important or vital assets of the company.
A threat analysis can be treated as an optional approach enabling a more detailed study of certain threats, and ensures that no threat has been overlooked in the risk management strategy or the strategy based on best practices.
The most widespread threats are:
The analysis of vulnerabilities is nothing more than an optional process running alongside the treatment of risks through the implementation of a risk management process or the implementation of best practices.
Without going into too much detail, we can list four types of vulnerabilities that should be addressed. By implementing security measures, we aim to lower these vulnerabilities and therefore reduce risks.
Fear, curiosity, libido, greed and pity are examples of human vulnerabilities. These vulnerabilities can be easily exploited on people who are ill-advised or unaware of the issues.
Without decent organisation, security measures cannot be effective or efficient. A charter, or even a security policy should be introduced.
There are many technical vulnerabilities. Errors in the operating system, software, missing or erroneous firewall rules, etc. Security measures must be introduced in order to mitigate these technical vulnerabilities.
In terms of physical security, many companies have a lot of weaknesses that it is important to eliminate.