Businesses must put the right security and processes in place to remain safe and sustainable, particularly in today’s changing business environment. There are many factors to consider from a risk perspective, and getting it right is critical. However, these steps do not require complex solutions in all cases, just diligence and attentiveness to the risks.
Michael Shatter, Director, RSM Bird Cameron said, “The events of the global banking crisis and recent cybercrime events demonstrate that it is vital for organisations to identify threats early and respond appropriately. The key is to balance risk and control to enhance the value that organisations can deliver to stakeholders. Furthermore, organisations need to stay at the cutting edge of technology risk management since risks are constantly evolving. Support and guidance can make the challenges manageable.”
RELATED TOPIC: 5 reasons to adopt a managed hybrid IT approach
Sue Wilkinson QPM, Head of the Olympic Intelligence Centre (OIC) for the London 2012 Olympic and Paralympic Games, highlighted the importance of security and robust processes at a recent Women on Boards event hosted by RSM Bird Cameron. She identified two key things organisations must consider when it comes to risk management:
1. Every organisation should undertake a strategic risk and threat assessment as early as possible and constantly review the findings.
2. Organisations should invest appropriately in the plan to address the findings from the risk and threat assessments.
RSM Bird Cameron suggests a four step process to improved IT security risk management:
1. Perform an IT audit – Identify and understand the risks
An IT audit can help reveal the risks that can jeopardise the security, availability and integrity of data as well as the performance of business systems. Importantly, it can also measure the effectiveness of existing processes and controls, then assist in formulating a plan to mitigate and manage the risks.
2. Secure your network – Ensure security risks are mitigated
Securing the network is essential, and a key objective includes everything from having appropriate firewalls and anti-virus products in place to educating all users about the risks of cybercrime. Adequate protection includes monitoring, incident management and policy-setting. It’s critical to remember that a large percentage of data breaches and IT security breaches do not originate from external technical intrusions of an organisations systems. Rather, human error and internal weaknesses also contribute to many IT risks.
RELATED TOPIC: How IT function has changed since aligning with business
3. Have a comprehensive disaster recovery plan in place – Be prepared to react if a security event causes a major IT disruption
Most companies understand the importance of a comprehensive disaster recovery plan but not all of them have implemented a plan that is fully up-to-date, reliable and appropriate for their needs. An effective disaster recovery plan must include IT failovers as well as processes and procedures to follow in event of an emergency, including who to call and when to call them. Most importantly, update the plan and test its effectiveness.
4. Consider alternate approaches – A fresh perspective can help
While your organisation may already be conducting security testing, sometimes a new perspective and approach can help ensure organisations are getting the most value from their investments. Organisations need to put as much effort, or more, into properly hardening their internal environment as they do their external environment. For heavily regulated entities, this approach is mandated by regulators and auditors, and it is seeing a much higher rate of enforcement as a result of the number of recent significant data breaches. For non-regulated entities, concerns about protecting intellectual property, corporate bank accounts, customer credit card numbers and other types of sensitive data have to be regarded as an enterprise-level risk. Unfortunately, a data breach only requires one mistake or one unpatched vulnerability to potentially wreak havoc on the network. This means that periodic testing of network security is no longer optional.