In this digital era, every organization directly or indirectly relies on IT Systems to save or process the data and as there is a saying “Everything comes with a cost”, so does Digitalization. There are different types of risks associated with Information Technology thus every organization must perform risk management. Risk Management is crucial as it has a direct impact on your entire business whether it falls in the domain of IT or otherwise. Unfortunately, quite often, IT related risks are neglected and overlooked. Before we go into deep and discuss IT risks, we shall let’s understand the scale and impact, we are talking about.
Let’s take a look at an example, it was Friday 21st October 2016, a cyber attack disrupted the internet and as per experts it was the largest of its kind. As a result, throughout the day many users were unable to connect to popular platforms like Twitter, Netflix, The Guardian, Reddit, Spotify, Financial Times and many others in U.S. and Europe.
Software IT company Dynatracemonitors more than 150 websites, and found that 77 were impacted on that Friday. As per the reports, disruption may have caused losses of up to $110 million for companies in revenue and sales.
The areas highlighted in red and amber on the map given below represent the impact of the attack.
It was a distributed denial-of-service or DDoS attack, wherein computers or network devices infected with a malware called Botnet are used to flood a server or website to make it unusable. In this case Botnet used was Mirai Botnet. What makes it more interesting is, IOT (Internet of Things) devices, digital video recorders and webcams in people’s homes were infected with malware and turned into weapons without user’s knowledge to execute this massive attack.Imagine the impact on services and to the businesses, that could have been avoided by well-planned risk management and security measures.
It is imperative to understand IT security, risks and threats to organizations & IT infrastructure and how to mitigate and control the risks. Cyber security and Information Security professionals need to understand that there are lots of vulnerabilities in systems and no system is 100% secure. In fine we can say, it is part and parcel of a security professional’s job to manage the risks associated with these vulnerabilities. The Goal should be to reduce the vulnerabilities to the lowest level possible. We can’t eliminate 100% vulnerabilities but we can control them through Proper Risk Management.IT security is all about defending and protecting the vital information and data using various defence strategies, policies and technologies.
Before gaining an insight into Risk Management and other security aspects, let’s take a close look at “ What exactly the risk is?”
In simple words, Risk is the probable frequency and probable magnitude of future loss. The standard definitions are as enlisted below:
- ISO – International Organization for Standardization.
“The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of an event and its consequence.”
- NIST – National Institute of Standards and Technology.
“The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to—
- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man-made disasters
- Failure to exercise due care and diligence in the implementation and operation of the IT system.
- ISO – International Organization for Standardization.
Asset is simply any item that has value to an Organization.
Assets can be in Tangible or Intangible form. please go through the below table to understand more what are tangible and intangible assets place pics in front of one another
|Tangible Assets||Intangible Assets|
|Network devices firewalls, routers or switches||Information or data|
All above mentioned examples are type of assets that any organization will need to protect. Now we understand what is an Asset. Let’s pay close attention to vulnerabilities and threats that may become a potential risk to these assets.
Vulnerability is any weakness that exists in the system. It could be due to various reasons like system design, implementation, software code or network security design. For example, any software bug, security breach that can happen due to wrong configuration of perimeter devices in the network like firewall, IPS or IDS devices.
For example, if you forgot your laptop unlocked, that’s vulnerability. But vulnerability without a threat isn’t a problem at all. If you forgot your laptop unlocked in your cabin, where no outsiders come then it really doesn’t matter if you forgot to lock laptop or not.
Organizations are supposed to deal with operational risks around the clock. These are the service interruptions due to internal failures from processes, people or systems perspective. These are by far the most frequent types of events organizations have run into. Human error, system and software flaws, power failures are just a few of the many operational risks.
There are four major factors involved in operational risks;
In terms of IT, exploit is a program, code, a piece of software or commands that can take advantage of a vulnerability to perform any malicious activity. Exploit is not harmful in itself until or unless someone uses it with wrong intentions. It is like a gun or any weapon, as far weapon is just lying on the table, there is no danger until or unless someone uses it with ill intentions.
Any situation or condition that can cause harm, loss, damage or compromise to an asset is called Threat. Continuing last example, if you forgot laptop in an open area where a lot of people are around and few people have wrong intentions then those few people are “threat” in this scenario.
So, if you left your laptop unlocked that is a vulnerability. If nobody is around and no one notices that unlocked laptop, it might be lying there for hours and you will not realize the risk of that mistake. And this is the same with vulnerability in IT system, vulnerability is security hole that can be exploited at any time. The moment a person with wicked plans finds your laptop unlocked, he is a threat to you. He can simply come and look at your private data on laptop or in fact he may steal the data. Now we can say your vulnerability has been exploited and then you realize the risk.
After understanding the assets, vulnerabilities and threats. Now we can state risk is located at the intersection of the three basic elements – Asset, Vulnerability and Threat.
Risk is nothing if there is no vulnerability and threat. If you don’t have any vulnerability then there is nothing for a threat to exploit hence there is no risk. Conversely, if there’s no threat, then even if there’s a vulnerability that’s present, there’s still not going to be any risk. If one of those two things are missing, there simply is no risk.
For example, if a cyber attacker is attempting to hack into your server and network from internet. It is a valid threat. However, if you don’t have any connection to internet at all then there is no vulnerability thus no risk of being attacked. So, we have to have a vulnerability and a threat to have risk. As part of risk management, we constantly try to balance the vulnerabilities against the threats. In order to do this, we put mitigations in place to lower the amount of vulnerabilities or we try to add mitigations to reduce the threats. By lowering either one of these, we are trying to lower overall risk.
It is very important to understand the different types of risks for any organization, as you cannot mitigate the risk if you don’t know risk is there.
Strategic risk as name indicates is related to strategies of any organization, it is a chance that strategy will result in losses. It could be related to poor business planning and business decisions or substandard execution of plan for example failure to respond to changes in business world. Strategic risks are directly related to operations of any organization at a specific time. For example, for any financial institute or bank, online transaction system is very crucial that heavily depends upon IT servers running in the background and every few years hardware gets end of life and replacement is required. If banks take decision to run their business on old hardware, it will be part of their strategy decisions and it is risk that they are accepting. Similarly, for any training institute that helps students in getting their IT certifications done, they need to update their study material and content every couple of years as the certification’s vendors update their syllabus. It is a strategic risk that those institutes have taken and it is related to type of industry they are part of.
Strategic risk can be lowered and mitigated by strategy planning. Any organization that relies on IT hardware, can include budget and cost of hardware refresh as part of planning. In similar fashion, training institute can factor in the budget and cost of training course’s update every few years along with the certification updates by vendors.
Compliance risk is all about losses due to failure of following the legislative laws and regulations. In today’s world, compliance risks if not mitigated can result in terrible consequences like fines and even organization can be shoved out of business by the government. Thus, every organization has to comply and follow the rules and regulations depending upon their nature of business, for example any financial institute will have different laws and regulations to follow than an IT company. Any organization that accepts, transmits and store any credit card holder details, has to follow the PCI DSS standard i.e. Payment Card Industry Data Security Standard. To comply with PCI DSS standard, organization must have secure environment to ensure privacy and data security of credit card holder’s details. Similarly, for European countries, for any organization that deals in individual’s personal data has to follow GDPR i.e. General Data Protection Regulation low. Let’s look at one of the biggest examples of devastating consequences of failing to follow the laws and regulations, Uber the famous on-demand ride company, had 600,000 drivers and 57 million users accounts breached in 2016. Once discovered, Uber was fined $148 million in 2018 for violation of state data breach notification laws. In 2016, Uber had 600,00 drivers and 57 million accounts breached.
Uber fined $148m for failing to notify drivers they had been hacked
Failure to report 2016 data breach ‘one of the most egregious cases we’ve ever seen’, says Illinois attorney general
Courtesy – The Guardian
Count doesn’t stop here, there are number of such incidents where companies had to pay large penalties due to non-compliance. Yahoo, British Airways and Marriott International are few famous names, that are part of this list. In order to mitigate compliance risk, organizations must do assessment and identify laws and regulations with which the organization is supposed to comply in all jurisdictions where it conducts business.
In case of financial risks, we need to think about how an organization can handle their finances and money, how do they allow customers to make payments, credits involved if any and payment methods etc.We already discussed in Compliance risk section, any merchant or organization involved in handling user’s credit card, needs to comply with PCI DSS. Of course, it is part of the compliance risk but there is an overlap and it is a financial risk as well at the same time. Organizations may have payment option like “cash on delivery” or “pay in instalments”, in some cases organizations may not receive that amount. All this is a financial risk as well. While working in IT, budget and finances plays a vital role. For example, if you need to replace some end of life hardware and cost is high, you need to justify the cost in front of senior management. For them it may be unnecessary cost but being part of IT management, you shall understand the risk of running business on old hardware and all of this shall feedback into the financial risk of the organization. Such inputs and feedback from all directions, help organization to factor in those financial risks and plan in a better way to mitigate or lower the risks wherever possible.
Apart from these are other financial risk that are related to movement in stock prices, currency rates, interest rates etc. Different types of financial risks are:
- Market Risk
- Credit Risk management role
- Liquidity Risk
- Legal Risk
Risk due to inadequacy of having proper processes in place e.g. absence of change management or incident management process can create a lot of operational issues.
From IT industry’s perspective, system related risk can be due to technical issues that can cause outages, system breakdowns, failure or even data theft and data loss.
Major contributor towards operational risk is human factor as humans tend to do errors and mistakes. If we look at history, major outages have been due to human errors. Organizations cannot run away from the fact that there will not be any mistakes or errors, rather organizations should work in a direction to make themselves ready for such situations.
- External Event
External factors cannot be ruled out whether is it natural or unnatural. For example natural disasters where humans don’t have any control or physical damage due to any external reason beyond any organization’s control.
For instance, if we have a power outage or a cyber-attack, our networks could go down, and unless we have proper mitigations in place, such as generators, battery backups, redundant power supplies, redundant power grids, firewalls, IPS/IDS systems and all of that kind of stuff, we can have an operational risk that’s going to be realized. This is the operational risk that you have to really think about, when you start building a system, you start building your contingency plans for them, too. Operational risk should be at the forefront of your mind.
Reputational risk is nothing but any action, event or circumstance that could adversely or beneficially impact any organization’s reputation.
These are the risks if realized, organizations may suffer a loss of reputation and community standing that is caused by a failure of a product, a lawsuit or other negative publicity. While reputation is “intangible”, damage to an organization’s reputation and the resulting loss of consumer trust and confidence, it can have “tangible” consequences e.g. stock price decline, regulatory investigations, shareholder litigations etc.
Examples of reputation risk;
- Negative reviews and news
- Criticism of products and services
- Information or data leakage
- Cyber attack
- False or negative publicity
Reputational risk can be managed by risk management strategy with key goals:
- Identify and minimize the factors that could damage the reputation and at the same time identify and work on factors that can boost reputation.
- Reputation is a matter of perception, and it might be different from reality. In order to reduce the risk, organizations need to focus on the gap between perceptions, expectations and reality. This gap can be filled by, improving business strategies and performance.
TWe can also call it “People Risk” as it is all about organization’s employees or people. Employment risk is very much present there from beginning when employee is hired into an organization and until he is part of that organization. In other words, employees can make or break any organization. There is a huge cost associated with employees and good organizations make every effort to keep their employees happy. It is the major factor that can impact any organization’s efficiency and performance. For example, you have IT consulting business and so far, you have been managing it with your in-house IT team. Now you have a new project to deliver the services in AWS cloud and you are engaging your in-house team for AWS where they don’t have expertise. It is a big risk you are taking as you are not assigning right people to the job.
There can be legal repercussions as well, if organization fails to maintain the safe, harassment free and unbiased environment for their employees.
There are various factors that can help in reducing the employment risk, for example;
- Hiring Process
t is rightly said “First impression is the last impression”, First impression that goes out, when any organization does hire new employees. Actually, hiring process reflects, how well the human resource “HR” process is followed and implemented in the organization. Formal selection process and pre-hire screening and background checks, can reduce the risk. Goal should be to hire right candidate for the right job.
Compensation, salary and other financial benefits should be at par with industry standards.
- On boarding
On boarding is the process for new joiners to familiarize the new employee with company environment, policies, roles and responsibilities he has been hired for.
Organization must focus on growth and learning’s for employees.
- Performance management
Organization shall have transparent and unbiased performance management system, this is one of the key factors for employee satisfaction. At the end of the day, their performance management is going to impact organization’s performance big time.
- Employee friendly policies and guidelines
There should be defined policies and procedures to address pertinent issues, that not only contributes towards employee satisfaction rather at the same time, it enables employees to focus on their job.
This isn’t a huge issue when you’re dealing with developed and industrialized nations. But in some regions of the world, there is lot of political instability and directly or indirectly that has an impact on organization’s business and environment. It makes it hard for businesses to prosper and deal with it. There is another factor associated with political risk is change in laws and regulations. If there is any change in laws related to taxes, data management or anything related to line of business, it can have a huge impact on an organization in terms of cost and efforts. For example, latest GDPR law’s enforcement in Europe is in headlines these days, as every other company is getting impacted, they need to adhere and follow the data handling related regulations as part of GDPR. Another real-life scenario could be change in tax laws, that will impact any organization in any business big time. Organization’s payment and financial IT systems would require to go through and adopt those changes.
We discussed about various types of risks, if you look at each type of risk, directly or indirectly it impacts IT as well.
- For example, operational risk involves IT processes and procedures e.g. incident and change management system.
- Compliance involves IT systems all around, PCI DSS or GDPR, it is about data handline and data protection.
- Any change in tax laws may seems to be part of political risk but it may trigger big change in IT systems and software’s which are being used for payment and handling finances. Financial risk spread across whole IT organization as any new hardware or software product or replacement of existing systems with new one, involves additional expenditure cost.
- A single incident of data breach or mis-use can hit the reputation of any organization thus a reputational risk.
- Strategic decision to move on-premises IT infrastructure to cloud, may fail due to inadequate and untrained technical team.