In all sectors, technology has become a vital aspect of operations and has transformed the workplace, but that dependence on technologies also poses a threat to organizational wellbeing. Data breaches, system failures, malicious attacks–as well as natural disasters that impact technologies–can wreak havoc on company reputations, regulatory compliance and fiscal health.
In some cases, the damage from these events is irreversible or long-term. A proactive strategy to mitigate tech risks are foundational aspects of operations. Your company needs such a plan that prevents, responds and continuously monitors for these risks.
Monitoring and Managing Risks in Technology
The adage, “An ounce of prevention is worth a pound of cure,” is entirely applicable to monitoring and managing tech risks.
A whole-organization system is necessary that ensures assessing and monitoring data from end to end user.
The first step in creating such a system is to identify risks and harmful situations that can occur. For IT risk assessments, that begins with evaluating valuable systems, sensitive data and company operations. Consider the organizational information that might be valuable to hackers.
Systems and operations that store, maintain, use and process this data should be scrutinized for vulnerabilities. Beyond your own systems, who holds this data? Consider vendors and other third-party entities, as well as employee cell phones and computers. Explore shared information and possible outcomes of data exposure. What safeguards are in place to protect the organization? Do you have a program for Vendor Risk Management (VRM)?
Pertaining to monitoring, it’s not enough to set procedures in place and walk away, trusting this is forever adequate. In effect, you need to continuously monitor your monitoring system.
Risks change over time– some increasing and others decreasing. Does your monitoring system follow and adapt to these trends in risk? Evolving and new risks can be discovered by examining industry trends, software vulnerabilities, and corporate and vendor operations.
What triggers mitigation and response to tech risk at your organization? One definition of trigger is, “a single predefined event or change in status, which indicates that an actual or potential risk has occurred or is about to occur.” In management of technological risk, those triggers need to be determined when conducting risk assessments.
Leaked passwords, suspicious emails, stolen or lost devices and potentially exposed data are examples of triggers.
In management of tech threats and risks, it would be wise to thoroughly scrutinize vulnerability due to internal threats, according to security expert, Marc van Zadelhoff. In his Harvard Business Review article, Zadelhoff, cites IBM findings from the 2016 Cyber Security Intelligence Index, which determined that more than half of all attacks were the result of insiders, with roughly seventy-five percent of those malicious intent and the others due to human error and/or unintentional.
What monitoring systems are in place for insider threats? What are the triggers that your organization has developed for suspicious or potentially malevolent internal activities? How do you monitor the viability of your back-up data and systems?
And as with other aspects of your program, triggers must be continuously monitored. If the risk changes, or a new risk evolves, it is likely the triggers that determine response and mitigation need to change as well. And of course, thresholds should be established for varying procedures when a risk escalates.
Plan for Worst Case Scenarios
In addition, it’s vital to have a business continuity plan (BCP) that includes protocol for handling IT disruptions and reestablishing services so primary organizational objectives can be met. Even unplanned downtime due to a simple power outage can hurt your revenue streams in a big way. Some statistics cite the average cost per minute of downtime at a staggering $5,600, or well over $300,000 per hour. For unplanned outages impacting call centers, a recent study estimates the cost per minute is $7,900, or forty-one percent higher than previous findings.
Ouch. Those are painful numbers to contemplate.
And further, in the event of a tech disaster– such as if a cyberattack and a breach of Personally Identifiable Information (PII) occurs— the speed, transparency and efficiency of your company response are critical to the business reputation. Worst case scenarios should be planned for in table-top exercises, up to and including press releases, and regulatory and customer notifications. What would happen if PII was held for ransom or corporate data was destroyed?
In an era that (rightly) demands transparency of corporations, hiding organizational transgressions is not favorable in the eyes of the public and can have long term impacts that haunt your company’s name long after a breach. Probing this area and planning for crisis response are critical in today’s ever-evolving world of data security.