red alarm along the side of a building
PHOTO: Alexey Soucho

Data is the lifeblood of companies and organizations around the world today. And it’s only becoming more valuable — as well as more difficult to protect. Organizationally, the volume of data businesses deal with is increasing exponentially while culturally, boundaries are blurring as more employees work from home, connecting their personal and professional devices across servers. 

In short, data represents both the greatest opportunity and the greatest risk for today’s organizations. 

In light of new data breach laws with fines ranging from millions to billions (yes, billions) of dollars — as demonstrated by recent actions against Google and Facebook — organizations big and small are being forced to reconsider their security and privacy strategies. Ultimately, there is no such thing as perfect security, which leaves it up to individual businesses to balance the benefits of the free flow of information with the risks of inappropriate access and/or disclosure.

Related Article: What Risk Managers Need to Communicate to the Board

Calculating Risk and Compliance

At its simplest, compliance means conforming to specific rules and requirements. From an organizational level, compliance is achieved through management processes that identify applicable regulations, assess the state of compliance, evaluate the risks and potential costs of non-compliance and determine the priority of funding and initiating any corrective actions deemed necessary.

Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss, or undesirable outcome. Common definitions of risk look at the severity or impact of a negative event, like an exposure of information or a data breach, on either a company or an individual data subject (under regulations like GDPR), as well as the likelihood that this event may happen. That is to say:

Risk = the severity or impact of an event × the likelihood it will happen

If we were to graph this on a matrix chart, it would look something like this:

chart of risk and compliance, probability vs severity matrix

Credit: Industry Safe

When it comes to cybersecurity, an organization could face three principal risks in the event of a data breach:

  1. Business/Operational Risk: Direct or indirect loss resulting from key failures in an organization’s systems, people, processes and procedures.
  2. Reputational Risk: Harm to an organization’s reputation or public image.
  3. Legal and Compliance Risk: The potential for loss or damage from the legal or regulatory consequences of a breach.

Related Article: Compliance Is a Business Decision

A Risk-Based Approach Just Makes Sense

Threats may come from outside or inside, and may be intentional or unintentional, deliberate or accidental. In a world where an organization simply cannot eliminate every risk or protect every asset, learning how to implement a systematic, risk-based approach to every data decision is critical. Consider which information and systems are available to whom. Who needs access and who does not? Seek out experts and trusted sources when appropriate. For example, the National Institute of Standards and Technology has developed a Risk Management Framework, a methodology for applying a more measured and programmatic approach to managing risk. 

While it may sound overly simplistic, viewing each element of a security and privacy program through the lens of risk management is best practice for every organization today. Once you consider the impact of a potential event and the likelihood that it will occur, you can take proactive, appropriate and proportional measures to mitigate the situation. This kind of calculation can not only be used to justify the costs of the program, but also to demonstrate corporate responsibility in the face of legal or regulatory scrutiny.

Organizations must be vigilant in creating enforceable policies, training programs and automated controls to prevent and monitor appropriate access, use and protection of sensitive data — whether they are regulated or not. Fundamentally, these measures will mitigate the risk of regulatory and statutory penalties and consequences. But more importantly, a systematic, risk-based approach will go far in preventing an unnecessary erosion of employee or consumer confidence as a result of a breach or loss of sensitive data.