IT Risks come in many forms. Most of them are hidden, until they disrupt business and result in losses. A common mistake made by most businesses is to either ignore these risks or deal with them on an ad-hoc basis. Instead we adopt a formalised approach towards this. Every element of your infrastructure is reviewed. Risks are categorised and recommendations put forward.
How we manage your IT risks
Brainstorm possible risks
Obtain input from relevant parties to identify key systems, key datastores, key digital assets and services.
Scan for weaknesses
Assess system exposure by scanning for running processes, patch levels, number of systems, network structure and segmentation.
Rank Business Risks
The product of risk probability and impact will yield the risk. Quantify each type of risk. These are ranked for a full picture.
Review Policies
As part of remediation, policies may need to be adjusted to ensure maximum risk mitigation. Depth and scope of policies is critical for them to be effective.
Patch Systems
Determine which systems need patching & how often. Automate patching and updates. Shut down all obsolete and unnecessary systems.
Monitor and Review
Report on day to day monitoring, escalation and mitigation strategies. Determine success rate of risk mitigation against real world examples.
A few examples of IT risks
Corporate Espionage
Knowledge workers typically enjoy unfettered access to company files for optimal team engagement and service delivery. However this also allows for unauthorized duplication, publication and dissemination of such data. Combined with the structures of EUC (End User Computing), it allows for uncontrolled and often unmonitored theft of data. Data structures, segmentation and controlled access are only one part of this. Management need to identify core data stores and understand the ways in which these need to be protected. Protection is the result of technical, legal, and structural measures.
Malware
Complexity is the enemy of security. The network landscape is becoming increasingly complex. We enjoy a vast array of connected "smart" devices. With the age old pressures of being rushed to market it's no wonder that we continue to see major system breaches all the time. Some are proof of concept, others involve serious losses of information. A simple USB thumb drive can bring down a corporate network and result in massive losses.
Risks:
• Loss or theft of critical information
• Corruption of company data or systems
• Loss of productivity
• Overwhelming IT resources to deal with the problem.
• Loss of confidence in the organisation.
• Hardware damage
Cyber security and incident response risk
IT Project Backlog
Economic factors which result in essential IT investments being deferred. As a result, IT projects are not undertaken, leaving IT systems vulnerable, or systems unable to deliver as needed. This is similar in essence to treating the IT function as a cost center where optimal delivery is considered as the lowest cost that provides short term delivery. The IT function is never seen as being critical to operational delivery. This strategy never identifies the cost of non-investment. Akin to saving on medical insurance and never going to a doctor for checkups. Disasters are seen as "bad luck".
Risks:
• Failure to identify consequences of lack of investment.
• Business objectives not being met due to project delays.
• Failure to roll out IT projects entirely
• Projects conducted with inadequate budgets - shortcuts
Cloud Computing
IT resilience and continuity
IT Governance
These days, it is common to source IT services from multiple vendors. Each vendor has their own standards, their own methodologies and in some cases there can be competition for whom supplies the service. Furthermore, if established vendors are unavailable or fail to provide a required service, this can be obtained via another party. The business may be left with gaps in how goods and services are supplied. For example hardware may be supplied that is incompatible or supported differently from the corporate standard. Similarly services may be at odds with existing methodologies for deployment.
Risks:
• Failure to comply with corporate IT policies and controls.
• Operational impacts - failure to deliver hardware or service as needed.
• Security risks that stem from inadequate deployment or documentation.
• Regulatory violations which place the organisation at risk of fines.
• Duplication of efforts, increased costs and inefficiencies