By now, we all know the fallout from an IT security crisis can be extremely serious. Businesses at the sharp end of high-profile problems, such as Sony and Carphone Warehouse, are still picking up the pieces.
Even after the security flaw has been addressed and functionally operations are in a better shape than before, the business impact can linger.
Here are five reasons why businesses need to focus on the business risk of IT security.
1. Assume the worst could happen – even if it never does
The business risk of an IT security failure is very real. We have all read about the very high-profile attacks, mistakes and disasters that have been particularly damaging because of their sheer scale or because there’s a well-known brand involved.
But many organisations continue to assume they are unlikely to be the subject of an attack, breach or outage. Applying that mentality to other areas of business risk, such as insurance, would be inconceivable.
Most people, thankfully, have never been at a place of work which has been affected by fire or flooding – that doesn’t mean they shouldn’t work to prevent it.
There are undoubtedly many more examples where the risks have turned into a reality that never make the news. The healthiest approach is to plan on the basis that the risk is real for you, in your circumstances and in your organisation, and take action to plan accordingly.
2. Fully assess what is at risk
But where do you start? Planning to protect is a big enough challenge even when the breadth of IT and data assets are understood. Unfortunately, many organisations don’t audit or have a grip on their entire IT infrastructure, making it more difficult.
To protect your network perimeter properly you need to understand the risks across the entire IT environment – the technology that exists within the business and the areas of potential exposure when working with external partners. Don’t forget it’s also a wider discussion than just data – technology risk assessments should include all IT assets wherever they reside.
Risk assessments can be a challenge, and many organisations could do a lot to improve. It’s not uncommon, for example, for the individual responsible for assessing risk to download a checklist template from the internet and tick off against it, assuming it will cover all the possibilities.
In most cases, these are simply too generic and not fit for purpose – risk assessments need to be comprehensive and bespoke.
As more organisations begin to implement private and public cloud technologies, a company’s network perimeter widens and the risk assessment and security considerations broaden. Organisations need to remember that any element of an outsourced security strategy needs to be considered as a point of risk.
3. Give responsibility to the right people
In every organisation, someone needs to take responsibility for IT security risk and strategy. For any business with an IT leader or team, the obvious approach is to place responsibility with them. They understand IT, so they are the logical people to understand IT security.
But to be truly effective, an approach to data risk and security needs to be impartial. Risk assessments need to adopt a brutally honest ‘warts ‘n all’ approach to inform the subsequent security strategy in the most effective way. That job should be allocated to another business or security expert outside of the IT team, irrespective of the size of the organisation.
This can present a range of challenges. Many businesses don’t have dedicated IT staff, or leaders with the right level of experience or knowledge to focus on risk and security. Even for those organisations with greater resource, finding and retaining people who can act as the impartial expert is difficult, given the current high levels of demand for their services.
Technology partners can resolve this challenge and play a vital role, given their specialised experience and the advantage they present by doing the job all day, every day. Every organisation should aim for an appropriate level of impartiality, whether that comes from their own staff or from a trusted third party.
4. Plan for rapid recovery
Most organisations, quite rightly, focus on prevention. Very few look beyond that point and put a strategy in place to help the business recover as quickly as possible when a security problem has occurred.
For the most high-profile attacks, the time and cost of repair can be very significant – Sony, for example, released figures to counter some estimates that their 2014 security breach could eventually cost up to $100 million. The correct amount, according to Sony, was only $35 million – still a large sum for any organisation.
Part of the problem lies in organisations lacking the systems and skills in place to recover as quickly as possible from a security crisis, irrespective of its scale. It’s important for businesses to factor in the business risk associated with recovery into their planning, and to have an infrastructure in place that can adapt quickly to a security breach to allow the business to return to normal trading without undue delay.
5. View strong risk management and security as an enabler
IT risk and security failures are generally seen as something to mitigate against. The best outcome that can be expected is that the risks never turn into reality.
But for those who have taken the most advanced approach to the security issue, risks can begin to turn into opportunities. Combine that with the ability to demonstrate excellence in risk management and IT security becomes a differentiator and an area of competitive advantage. In our connected economy, businesses with a superior approach to IT risk and security will score points over a rival who does the bare minimum.
Ultimately, protection against IT risk is a question of degree – no one claims that we are close to solving IT security challenges once and for all. But adopting an approach which focuses on business risk can allow businesses to move forward more confidently than before.
Sourced from Kevin Linsell, Adapt