Organisations have a lot of competing priorities for their owners and managers, including sales and cashflow. Technology risk is not usually seen as important. Yet in today’s ever more interconnected, shared drive, cloud-based business environment, where technology is embedded into most business processes, the consequences of not addressing the risks can far outweigh the benefits.
What is technology risk?
Technology is any device or software and the data that is used to support and facilitate your business operations.
Risk, in this context, is anything that prevents the effective operation of that technology or the loss of data and assets.
For example, a ransomware attack that encrypts all your data, or locks you out of your computer system unless you pay a ransom, prevents the effective operation of your technology and therefore your organisation.
A lot of SMEs have the attitude: “Why would someone want to target us?”
PwC’s 2017 Global State of Information Security Survey revealed that New Zealand organisations reported 21 percent of cyber attacks were sourced from their suppliers and business partners (an increase from 10 percent in 2016). Would you still want to do business with those suppliers or business partners?
What sort of attacks could happen to my business?
Credit card information is prime target area for attackers. If you failed to adequately secure them and an attacker managed to compromise your system and obtain your customer’s credit card details this would have a major impact on your customer and on your organisation’s reputation. What fines* could you now be liable for?
External attacks can take a scattergun approach where millions of organisations are hit in the knowledge that some organisations will not have addressed their technology risks and will be compromised. By understanding the risks and taking some key mitigations, the likelihood that your organisation will be compromised is significantly reduced as the attackers focus on those organisations with weaker controls.
Most organisations will have insurance cover to mitigate material risks for their organisation, yet don’t place the same importance on technology risk. This may be due to organisations, while being more aware of the risks through greater publicity, facing challenges in the translation from awareness into a deeper understanding of the breadth and depth of the risks faced due to lack of information technology knowledge.
What questions should SME owners and managers be asking?
How would I know that I have been compromised?
The length of time that the attacker has access to your systems increases the damage that they may be able to do. Most companies don’t know they have been compromised until informed by a third-party. On average it takes 205 days (based on PwC surveys) before attackers present on an organisation’s network are discovered.
Who is managing my technology/data?
Due to the size and resources available to a typical business, often there is a lack of dedicated internal IT capability to address/focus on technology risk. Outsourcing your technology management to a third-party provider may address your internal technology capability limitations, but it doesn’t address all your risks and introduces new risks, like how do you manage the provider.
How secure are my devices?
Properly securing your devices, from your server, network devices, workstations to mobile devices, reduces the extent of a compromise and increases the protection of personal/business data.
What data do I collect? Is it the right data and can I rely on the data for decision-making?
Technology risk also relates to the data and how this is used to inform decision-makers.
PwC often finds that organisations are not collecting the right data to inform decisions or are placing unwarranted reliance on data which results in incorrect decisions being made.
Am I meeting all my compliance obligations for protecting personal data?
A good starting point is compliance with the Privacy Act (a new Privacy Bill is being worked on by the current government) and if you deal internationally other privacy legislation such as the European Union’s General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standards for securing credit card information.
What do my technology users have access to?
Organisations are often poor at maintaining the users who have access to their systems. We often find that access rights to applications are out-of-date in the work we do with clients.
What applications are being used within my organisation?
Many organisations are allowing Bring Your Own Device (BYOD) and using cloud services which blur the organisation’s digital footprint. With rapid adoption and simplistic assumptions about how these work, and just what secure means, there is often quite a gap between an organisation’s assumed and actual level of risk.
Prevent, Detect, Respond, Recover
Once you have identified your risks, then you need to design and apply controls to mitigate the risks and protect your assets. The following framework is a good approach to take.
Prevent – the top five things you can do towards prevention are:
• Patching – ensure that your devices and software have up-to-date patches (you have the latest version of the software).
• Administrative access – restrict administrative access and ensure these accounts have strong passwords.
• Anti-virus and anti-malware – make sure it covers mobile devices as well, is installed and up-to-date.
• Application whitelisting – only specified applications are able to run within your environment.
• Secure configuration of devices and software – servers, workstations, laptops, mobile devices, network devices.
Detect – invest in being able to detect new types of attacks. New Zealand companies are over-reliant on penetration tests compared with global companies and should look to diversify into more advanced tools like risk-based authentication.
Respond – success or failure comes down to how well the organisation responds after an incident.
Recover – ensure that your business has a good backup regime, with the backups regularly tested for recovery. This needs to be part of a comprehensive business continuity plan.
The Institute of Directors on their SMEs page (https://www.iod.org.nz/Governance-Resources/Resource-library/SMEs) have a link to connectsmart website that has a toolkit that outlines the steps SMEs can take to address technology risks.
PwC offers a technology risk diagnostic tool that is a quick health check and provides a useful summary of an organisation’s technology risk profile which then informs where focus should be placed to reduce risk.