My entire career has been surrounded by risk; mostly in the technology arena. Regardless of the job role, from a technology engineer through risk manager, solutions architect, IT leader, and into my current role as a consulting engineer one thing has been commonplace – risk must be mitigated. Today, risk is common place with every organization and thrives in the form of cyber threats; among others. Technology has brought us vast advances in manufacturing, banking, medicine, and retail – with it comes significant increase in our risk footprints leading to financial, data, or reputation loss.
Before we can begin the process of mitigating cyber risks (some call this risk management; which is an incorrect term in my opinion), we need to understand them and their potential impacts. The risks themselves are varied but from a high-level can be categorized as:
- Accidental & Intentional Security Breaches
- Operational Systems Failures
- Downline & Upline Risks
Let’s break these down.
- Security breaches are the exposure of systems or data beyond their intended and authorized access footprints. When looking at accidental security breaches, this can include things like a database backup left unsecured, private data sent to the wrong party, or something as simple as a data center cage left open while the engineer was on a smoke break. These may seem trivial, but when your data is breached, or your corporate secrets are exposed – you will be left shouldering the responsibility. Then there are intentional security breaches, those that wreaked havoc on the NSA, Adobe, and the Veterans Administration. These come in the form of virtual or physical attacks intended to either steal data or disrupt services to an organization or individual. These are the attacks that most organizations try to prevent first and foremost – often at the expense of other attack vectors.
- Operational system failures are a form of cyber risk that I see frequently as a direct result of poor systems maintenance, lifecycle management, and a general overuse of the phrase, “If it ain’t broke, don’t fix it.” Remember, just because something is working does not mean it should not be replaced, patched, upgraded – or in the world of vehicles, have its oil changed – on a routine basis. Remember, a five-year lifecycle is about the maximum you should try to squeeze out of IT systems – and really, three years is where you should be to mitigate risks. Before we move on here, how long can your business run without access to any of its data because you failed to replace your SAN before it failed due to drive age?
- So, what are downline and upline risks? Well, these are risks that you assume because of doing business with vendors/suppliers. Truly, most of these types of risks fall to the business side of the world, right? Wrong. What happens when your phone systems are down, internet, international circuits, hosted email, CRM, payroll systems? People tend to get upset right? These are the risks that you can’t control completely, but are responsible for.
Next up in, how do we mitigate against security breaches from a high level? Certainly, there are already thoughts in your mind – areas that you know you need to address. Well, that is a good place to start until next post…