Risk Doesn’t Have to be a Four-Letter Word
Here's the thing about risk: it doesn't have to be a bad thing. Risk means you're doing something new; something different. There's risk when you jump in a half-ton of metal and rubber and hurtle yourself down the highway at 65 miles per hour (or 80 if you're on a South Dakota interstate). You could damage your $20,000 (+) automobile. You could get into an accident. You could get hurt. You could be killed. So why do we do drive motor vehicles? Because it is a heck of a lot faster than walking. The same concept applies to technology.
Risk is always changing; always evolving. It's no different for most areas of business as it is for IT, with one caveat: it happens a lot more quickly with technology than it does for the rest of the business. However, IT is a business risk as much as anything else.
Redefining Today’s Risk
Technology risk used to be much easier to define. Everything was limited to the information and devices behind our firewall - the trustworthy barrier between the untrusted, public network and our internal, private, secure corporate network. But times have changed. In today's business environment, executives, employees, and consumers alike require access to information on any device - anytime and anywhere.
Think of all the different ways your institutional information, whether it's your work email or confidential customer information, is accessed from outside of your corporate environment. Ask yourself the following questions, each of which increases risk:
- Does your organization allow access to work email on smartphones (either personal or corporate)?
- Do any of your employees utilize laptops that leave the premises?
- Do any of your employees gain remote access to your corporate network externally (bonus points if it's from an unsecured personal computer or while on the road in a hotel, airport, or coffee shop)?
- Do you allow any vendors to remotely access your network, whether via direct line (MPLS, T1, fiber, etc.) or VPN connection?
Here’s the scary part: how many ways could an attacker take advantage of any (or all) of those devices to gain access to your confidential customer information?
That's the "inherent risk" portion of our discussion. It's the same thing as driving your car down the interstate. We've given more access to our customer information and our "trusted" corporate network to different individuals and different devices for two reasons: 1) demand and 2) efficiency. If we want our computers to be patched by our vendor, having them log into our network at 11 PM and install updates during non-business hours is significantly more efficient than closing the doors from 2 PM to 4 PM to install updates and restart your servers. If your organization touts customer service and rapid response times, granting individuals access to their email outside of the physical premises is a must. That's not to mention your customers doing most their banking on their phones these days.
But as with all risk, the secret is to mitigate your risk to the best of your ability. Getting to the point where you MEASURE your risk and implement risk-mitigating controls to reduce your risk to acceptable levels is the key to any business. Most organizations don't understand IT risk, which leads to avoidance out of fear rather than innovation. Rather than implementing new technologies that can make the business more efficient or allow customers to connect with you more frequently and effectively, businesses shy away from technology because they don't understand how to mitigate risk.
You can mitigate your risk while you're cruising down the highway by making sure your vehicle has seatbelts and airbags, and making sure you stay alert while driving (put down the phone, folks!). You can stop someone from stealing information from an employee's smartphone email by implementing fingerprint or password authentication and encryption, for starters. You can mitigate the risk of vendors going rogue inside your network or stealing your information by setting up email or text alerts through the firewall that let you know when someone is accessing the network or logging in with specific credentials. There are many ways to mitigate risk, but we must take the time to understand and measure the risks before we can determine if we are effectively mitigating risk.
Attack the Risk
Don't let the "new normal" of IT risk scare you away from implementing new technologies or ways for your customers to do business with you digitally. Instead, learn to understand and measure the risk so you can get comfortable with the level of risk that remains (residual risk) or put a plan in place to reduce additional risk in the future. There will be more technologies, products, and services for your business to evaluate going forward. Don't fear the risk; have a plan to attack the risk. Let technology work for you, your employees, and your customers.
Written by: Jon Waldman, CISA, CRISC
Partner and Executive Vice President, IS Consulting
SBS Can Help!
For a better IT Risk Assessment, look no further than the TRAC risk management solution. TRAC’s IT Risk Assessment module allows you perform a quantifiable and measurable asset-based risk assessment much more quickly than using a spreadsheet. TRAC is powered by predefined, industry-specific data that helps you know your risk assessment is correct and allows you to make better security decisions.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.