Most organisations are now very aware that IT security is an important area of business risk, but many still do not fully analyse the dangers they face - it’s only when a problem arises that the full impact of a security breach gradually becomes clear. By focusing on risk as a key part of security strategy planning, it’s possible to develop a more rounded, effective approach – and enable quick recovery if/ when a security problem arises.
Accept that the risk is real
The vast majority of businesses do, by now, understand that IT security is a major challenge and the consequences of a failure can be serious. However, a disconnect exists: businesses sometimes struggle to accept that today, it isn’t a case of ‘if’ trouble arrives at their own door but rather ‘when’.
Many organisations continue to assume they are unlikely to be the subject of an attack, breach or outage. Applying that mentality to other areas of business risk, such as insurance, would be inconceivable. Most of us, thankfully, have never been at a place of work which has been affected by fire or flooding – that doesn’t mean we shouldn’t work to prevent it.
The healthiest approach is to plan on the basis that the risk is real for you, in your circumstances, in your organisation and take action to plan accordingly.
Understand the risks across your entire IT environment
To protect your network perimeter it’s vital to understand the risks across the entire IT environment, including both the technology that exists within the business and the areas of potential exposure when working with external partners. Don’t forget it’s also a wider discussion than just data – technology risk assessments should include all IT assets wherever they reside.
Risk assessments can be complex and many organisations could do a lot to improve and strengthen their approach. It’s not uncommon, for example, for people to rely on risk assessment templates downloaded from the Internet, assuming they will cover all the main requirements. In most cases, these are simply not fit for purpose because they are too generic – they need to be bespoke and comprehensive.
Also, as more organisations begin to implement private and public cloud technologies, a company’s network perimeter widens and the risk assessment and security considerations broaden. Organisations need to remember that any element of an outsourced security strategy needs to be considered as a point of risk.
Assign responsibility for assessing and managing risk
In every organisation, someone needs to be responsible for IT security risk and strategy. For any business with an IT leader or team, the obvious approach is to place responsibility with them. They understand IT, so they are the logical people to understand IT security.
But to be truly effective, an approach to data risk and security needs to be impartial. Risk assessments need to adopt a brutally honest ‘warts ‘n all’ approach to inform the subsequent security strategy in the most effective way.
The problem is that many businesses don’t have dedicated IT staff, or leaders with the right level of experience or knowledge to focus on risk and security. Even for those organisations with greater resources, finding and retaining people who can act as the impartial expert is difficult, especially given the current high levels of demand for their services.
Technology partners can help resolve this challenge and play a vital role, given their specialised experience and the advantage they present by doing the job all day, every day. Every organisation should aim for an appropriate level of impartiality, whether that comes from their own staff or from a trusted third party.
Make plans for rapid recovery
Most organisations, quite logically, focus on prevention. But very few look beyond that point and put a strategy in place to help the business recover as quickly as possible when a security problem has occurred. For the most high profile attacks, the time and cost of repair can be very significant – Sony, for example, released figures to counter some estimates that their 2014 security breach could eventually cost up to $100m. The correct amount, according to Sony, was only $35 million – still a large sum for any organisation.
It’s important for businesses to factor in the business risk associated with recovery into their planning, and to have an infrastructure in place which can adapt quickly to a security breach to allow the business to return to normal trading without undue delay.
Despite the risk, there is also opportunity
IT risk and security failures are generally seen as something to mitigate against. The best possible outcome is that risks never turn into reality.
But for those who have taken the most proactive and informed approach to the security issue, risks can begin to turn into opportunities. Combine that with the ability to demonstrate excellence in risk management and IT security becomes a differentiator: an area of competitive advantage. In our connected economy, businesses with a superior approach to IT risk and security will score points over a rival who does the bare minimum.
Ultimately, protection against IT risk is a question of degree; no-one claims that we are close to solving every IT security challenge once and for all, but adopting an approach which focuses on business risk can allow us all to move forward more confidently than before.
By Kevin Linsell, Director of Strategy and Architecture at Adapt