IT Risk Management

IT Risks come in many forms. Most of them are hidden, until they disrupt business and result in losses. A common mistake made by most businesses is to either ignore these risks or deal with them on an ad-hoc basis. Instead we adopt a formalised approach towards this. Every element of your infrastructure is reviewed. Risks are categorised and recommendations put forward.

How we manage your IT risks

Brainstorm possible risks

Obtain input from relevant parties to identify key systems, key datastores, key digital assets and services. 

Scan for weaknesses

Assess system exposure by scanning for running processes, patch levels, number of systems, network structure and segmentation.

Rank Business Risks

The product of risk probability and impact will yield the risk. Quantify each type of risk. These are ranked for a full picture.

Review Policies

As part of remediation, policies may need to be adjusted to ensure maximum risk mitigation. Depth and scope of policies is critical for them to be effective.

Patch Systems

Determine which systems need patching & how often. Automate patching and updates. Shut down all obsolete and unnecessary systems.

Monitor and Review

Report on day to day monitoring, escalation and mitigation strategies. Determine success rate of risk mitigation against real world examples.

A few examples of IT risks

Corporate Espionage

Knowledge workers typically enjoy unfettered access to company files for optimal team engagement and service delivery. However this also allows for unauthorized duplication, publication and dissemination of such data. Combined with the structures of EUC (End User Computing), it allows for uncontrolled and often unmonitored theft of data. Data structures, segmentation and controlled access are only one part of this. Management need to identify core data stores and understand the ways in which these need to be protected. Protection is the result of technical, legal, and structural measures.

Risks:
• Intellectual Property loss or duplication
• Intellectual Property leaks to competitors
• Intentional publication of unauthorized company data
• Legal violations that stem from data being leaked or unprotected.
 

Malware

Complexity is the enemy of security. The network landscape is becoming increasingly complex. We enjoy a vast array of connected "smart" devices. With the age old pressures of being rushed to market it's no wonder that we continue to see major system breaches all the time. Some are proof of concept, others involve serious losses of information. A simple USB thumb drive can bring down a corporate network and result in massive losses.

Risks:
• Loss or theft of critical information
• Corruption of company data or systems
• Loss of productivity
• Overwhelming IT resources to deal with the problem.
• Loss of confidence in the organisation.
• Hardware damage

Cyber security and incident response risk

Companies are usually aware of what a disaster recovery plan should include. However companies rarely have a plan for dealing with cyber attacks. This is a very real risk and includes its own set of specific actions. For example is the scope of the attack limited to a subset of the IT infrastructure, or is it widespread? What actions should be taken to contain the problem? Not all digital assets can nor should be treated in the same way. What needs to be done to preserve digital evidence? Simply restoring from backup doesn't allow any form of analysis, and does nothing to prevent the next attack.
 
Risks:
• Risk of forensic data being lost. Is digital evidence preserved?
• Risk of repeat attacks, due to no substantive prevention being put in place.
• Possible public and/or legal consequence.
• Insufficient or incorrect reaction on the part of the organisation.
• Are senior management and or stakeholders informed or is the event hidden?
 

IT Project Backlog

Economic factors which result in essential IT investments being deferred. As a result, IT projects are not undertaken, leaving IT systems vulnerable, or systems unable to deliver as needed. This is similar in essence to treating the IT function as a cost center where optimal delivery is considered as the lowest cost that provides short term delivery. The IT function is never seen as being critical to operational delivery. This strategy never identifies the cost of non-investment. Akin to saving on medical insurance and never going to a doctor for checkups. Disasters are seen as "bad luck".

Risks:
• Failure to identify consequences of lack of investment.
• Business objectives not being met due to project delays.
• Failure to roll out IT projects entirely
• Projects conducted with inadequate budgets - shortcuts

Cloud Computing

Cloud Computing offers many benefits over In-House or onsite solutions. However the product offerings are not always clearly understood by consumers. Risks, limitations and obligations are rarely made clear. The rate of change and built in obsolescence adds to the problem. Data continuity, compatibility, availability of services and quality of service are all critical for businesses. Yet these considerations are usually ignored and accompanied by a variety of assumptions.
 
Risks:
• Administrative access and control, do agreements govern these.
• Data management – location/compliance/recovery/security
• Dependent upon availability of cloud provider and internet connection
• Investigative support in case of a data breach.
• Long-term viability of the solution given rate of change.

IT resilience and continuity

Managers often consider IT risks within the confines of a disaster recovery plan. However if the timeline to recover involves weeks or even months, then operational losses may be incurred that offset the value of actually recovering the data. In some cases data is time sensitive and delayed recovery is pointless. Therefore recovery methodology needs to be rigorously tested with timeline norms established.
 
Risks:
• Risk of time sensitive data not being restored in time.
• Risk of further operational disruption due to staged recovery.
• IT resources fail to perform tests of recovery systems due to constraints.
• The recovery pathway is not clearly tested and not understood.
• Only critical systems are assessed leaving gaps in recovery protocols. 
• Risk of confusion and delays during recovery due to lack of planning
 

IT Governance

These days, it is common to source IT services from multiple vendors. Each vendor has their own standards, their own methodologies and in some cases there can be competition for whom supplies the service. Furthermore, if established vendors are unavailable or fail to provide a required service, this can be obtained via another party. The business may be left with gaps in how goods and services are supplied. For example hardware may be supplied that is incompatible or supported differently from the corporate standard. Similarly services may be at odds with existing methodologies for deployment.

Risks:
• Failure to comply with corporate IT policies and controls.
• Operational impacts - failure to deliver hardware or service as needed. 
• Security risks that stem from inadequate deployment or documentation.
• Regulatory violations which place the organisation at risk of fines.
• Duplication of efforts, increased costs and inefficiencies