In this digital era, every organization directly or indirectly relies on IT Systems to save or process the data and as there is a saying “Everything comes with a cost”, so does Digitalization. There are different types of risks associated with Information Technology thus every organization must perform risk management. Risk Management is crucial as it has a direct impact on your entire business whether it falls in the domain of IT or otherwise. Unfortunately, quite often, IT related risks are neglected and overlooked. Before we go into deep and discuss IT risks, we shall let’s understand the scale and impact, we are talking about.
Let’s take a look at an example, it was Friday 21st October 2016, a cyber attack disrupted the internet and as per experts it was the largest of its kind. As a result, throughout the day many users were unable to connect to popular platforms like Twitter, Netflix, The Guardian, Reddit, Spotify, Financial Times and many others in U.S. and Europe.
Software IT company Dynatracemonitors more than 150 websites, and found that 77 were impacted on that Friday. As per the reports, disruption may have caused losses of up to $110 million for companies in revenue and sales.
The areas highlighted in red and amber on the map given below represent the impact of the attack.
It was a distributed denial-of-service or DDoS attack, wherein computers or network devices infected with a malware called Botnet are used to flood a server or website to make it unusable. In this case Botnet used was Mirai Botnet. What makes it more interesting is, IOT (Internet of Things) devices, digital video recorders and webcams in people’s homes were infected with malware and turned into weapons without user’s knowledge to execute this massive attack.Imagine the impact on services and to the businesses, that could have been avoided by well-planned risk management and security measures.
It is imperative to understand IT security, risks and threats to organizations & IT infrastructure and how to mitigate and control the risks. Cyber security and Information Security professionals need to understand that there are lots of vulnerabilities in systems and no system is 100% secure. In fine we can say, it is part and parcel of a security professional’s job to manage the risks associated with these vulnerabilities. The Goal should be to reduce the vulnerabilities to the lowest level possible. We can’t eliminate 100% vulnerabilities but we can control them through Proper Risk Management.IT security is all about defending and protecting the vital information and data using various defence strategies, policies and technologies.
Before gaining an insight into Risk Management and other security aspects, let’s take a close look at “ What exactly the risk is?”
In simple words, Risk is the probable frequency and probable magnitude of future loss. The standard definitions are as enlisted below:
- ISO – International Organization for Standardization.
“The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of an event and its consequence.” - NIST – National Institute of Standards and Technology.
“The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to—- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man-made disasters
- Failure to exercise due care and diligence in the implementation and operation of the IT system.
Asset
Asset is simply any item that has value to an Organization.
Assets can be in Tangible or Intangible form. please go through the below table to understand more what are tangible and intangible assets place pics in front of one another
| Tangible Assets | Intangible Assets |
|---|
| Computer Systems/Laptops | Software |
| Servers | Defined processes |
| Network devices firewalls, routers or switches | Information or data |
| Employees | Reputation |
All above mentioned examples are type of assets that any organization will need to protect. Now we understand what is an Asset. Let’s pay close attention to vulnerabilities and threats that may become a potential risk to these assets.
Vulnerability
Vulnerability is any weakness that exists in the system. It could be due to various reasons like system design, implementation, software code or network security design. For example, any software bug, security breach that can happen due to wrong configuration of perimeter devices in the network like firewall, IPS or IDS devices.
For example, if you forgot your laptop unlocked, that’s vulnerability. But vulnerability without a threat isn’t a problem at all. If you forgot your laptop unlocked in your cabin, where no outsiders come then it really doesn’t matter if you forgot to lock laptop or not.
Operational Risk
Organizations are supposed to deal with operational risks around the clock. These are the service interruptions due to internal failures from processes, people or systems perspective. These are by far the most frequent types of events organizations have run into. Human error, system and software flaws, power failures are just a few of the many operational risks.
There are four major factors involved in operational risks;
Exploit
In terms of IT, exploit is a program, code, a piece of software or commands that can take advantage of a vulnerability to perform any malicious activity. Exploit is not harmful in itself until or unless someone uses it with wrong intentions. It is like a gun or any weapon, as far weapon is just lying on the table, there is no danger until or unless someone uses it with ill intentions.
Threat
Any situation or condition that can cause harm, loss, damage or compromise to an asset is called Threat. Continuing last example, if you forgot laptop in an open area where a lot of people are around and few people have wrong intentions then those few people are “threat” in this scenario.
So, if you left your laptop unlocked that is a vulnerability. If nobody is around and no one notices that unlocked laptop, it might be lying there for hours and you will not realize the risk of that mistake. And this is the same with vulnerability in IT system, vulnerability is security hole that can be exploited at any time. The moment a person with wicked plans finds your laptop unlocked, he is a threat to you. He can simply come and look at your private data on laptop or in fact he may steal the data. Now we can say your vulnerability has been exploited and then you realize the risk.
After understanding the assets, vulnerabilities and threats. Now we can state risk is located at the intersection of the three basic elements – Asset, Vulnerability and Threat.
Risk is nothing if there is no vulnerability and threat. If you don’t have any vulnerability then there is nothing for a threat to exploit hence there is no risk. Conversely, if there’s no threat, then even if there’s a vulnerability that’s present, there’s still not going to be any risk. If one of those two things are missing, there simply is no risk.
For example, if a cyber attacker is attempting to hack into your server and network from internet. It is a valid threat. However, if you don’t have any connection to internet at all then there is no vulnerability thus no risk of being attacked. So, we have to have a vulnerability and a threat to have risk. As part of risk management, we constantly try to balance the vulnerabilities against the threats. In order to do this, we put mitigations in place to lower the amount of vulnerabilities or we try to add mitigations to reduce the threats. By lowering either one of these, we are trying to lower overall risk.
It is very important to understand the different types of risks for any organization, as you cannot mitigate the risk if you don’t know risk is there.
Strategic Risk
Strategic risk as name indicates is related to strategies of any organization, it is a chance that strategy will result in losses. It could be related to poor business planning and business decisions or substandard execution of plan for example failure to respond to changes in business world. Strategic risks are directly related to operations of any organization at a specific time. For example, for any financial institute or bank, online transaction system is very crucial that heavily depends upon IT servers running in the background and every few years hardware gets end of life and replacement is required. If banks take decision to run their business on old hardware, it will be part of their strategy decisions and it is risk that they are accepting. Similarly, for any training institute that helps students in getting their IT certifications done, they need to update their study material and content every couple of years as the certification’s vendors update their syllabus. It is a strategic risk that those institutes have taken and it is related to type of industry they are part of.
Strategic risk can be lowered and mitigated by strategy planning. Any organization that relies on IT hardware, can include budget and cost of hardware refresh as part of planning. In similar fashion, training institute can factor in the budget and cost of training course’s update every few years along with the certification updates by vendors.
Compliance Risk
Compliance risk is all about losses due to failure of following the legislative laws and regulations. In today’s world, compliance risks if not mitigated can result in terrible consequences like fines and even organization can be shoved out of business by the government. Thus, every organization has to comply and follow the rules and regulations depending upon their nature of business, for example any financial institute will have different laws and regulations to follow than an IT company. Any organization that accepts, transmits and store any credit card holder details, has to follow the PCI DSS standard i.e. Payment Card Industry Data Security Standard. To comply with PCI DSS standard, organization must have secure environment to ensure privacy and data security of credit card holder’s details. Similarly, for European countries, for any organization that deals in individual’s personal data has to follow GDPR i.e. General Data Protection Regulation low. Let’s look at one of the biggest examples of devastating consequences of failing to follow the laws and regulations, Uber the famous on-demand ride company, had 600,000 drivers and 57 million users accounts breached in 2016. Once discovered, Uber was fined $148 million in 2018 for violation of state data breach notification laws. In 2016, Uber had 600,00 drivers and 57 million accounts breached.
Uber fined $148m for failing to notify drivers they had been hacked
Failure to report 2016 data breach ‘one of the most egregious cases we’ve ever seen’, says Illinois attorney general
Courtesy – The Guardian
Count doesn’t stop here, there are number of such incidents where companies had to pay large penalties due to non-compliance. Yahoo, British Airways and Marriott International are few famous names, that are part of this list. In order to mitigate compliance risk, organizations must do assessment and identify laws and regulations with which the organization is supposed to comply in all jurisdictions where it conducts business.
Financial Risk
In case of financial risks, we need to think about how an organization can handle their finances and money, how do they allow customers to make payments, credits involved if any and payment methods etc.We already discussed in Compliance risk section, any merchant or organization involved in handling user’s credit card, needs to comply with PCI DSS. Of course, it is part of the compliance risk but there is an overlap and it is a financial risk as well at the same time. Organizations may have payment option like “cash on delivery” or “pay in instalments”, in some cases organizations may not receive that amount. All this is a financial risk as well. While working in IT, budget and finances plays a vital role. For example, if you need to replace some end of life hardware and cost is high, you need to justify the cost in front of senior management. For them it may be unnecessary cost but being part of IT management, you shall understand the risk of running business on old hardware and all of this shall feedback into the financial risk of the organization. Such inputs and feedback from all directions, help organization to factor in those financial risks and plan in a better way to mitigate or lower the risks wherever possible.
Apart from these are other financial risk that are related to movement in stock prices, currency rates, interest rates etc. Different types of financial risks are:
- Market Risk
- Credit Risk management role
- Liquidity Risk
- Legal Risk
- Process
Risk due to inadequacy of having proper processes in place e.g. absence of change management or incident management process can create a lot of operational issues. - System
From IT industry’s perspective, system related risk can be due to technical issues that can cause outages, system breakdowns, failure or even data theft and data loss.
- People
Major contributor towards operational risk is human factor as humans tend to do errors and mistakes. If we look at history, major outages have been due to human errors. Organizations cannot run away from the fact that there will not be any mistakes or errors, rather organizations should work in a direction to make themselves ready for such situations. - External Event
External factors cannot be ruled out whether is it natural or unnatural. For example natural disasters where humans don’t have any control or physical damage due to any external reason beyond any organization’s control.
