The firewall -- has the "magic" box lost its mojo?
May 3, 2016
8 Risk Management Exposures You May Have Overlooked
October 20, 2014
Most SMOs (Small and Medium Organizations) are good at addressing the low hanging fruit of risk management - basic computer security, financial controls, protection of highly sensitive documents, etc. All too often however, such organizations (and a surprising number of large ones) miss important risks that may be less than obvious to all but experienced risk managers. The purpose of this article is to discuss 8 such risks, with some ideas about how to address them. This post is loosely based on 10 Areas of IT Risk You Could Be Overlooking in TechRepublic, written by Mary Shacklett.
1) Basic Physical Security
There is much focus in our world of identity theft on data security precautions such as firewalls, intrusion prevention systems, etc. Often overlooked however are basic physical security controls. One of my hot buttons is non-retail businesses who keep their doors open to the public, but do nothing to prevent someone from walking into the lobby and right past the receptionist. In the old days, a common approach to petty theft was for someone to walk into a lobby and distract the receptionist while another went back unnoticed, stealing purses and other small valuable items. I remember my mom being the victim of such a theft in a law office.
Today, the approach is similar, but the thieves are now stealing expensive PCs with your valuable company data. If your front door is unlocked, you should always have a locked inside door to prevent unwanted intrusions (what we in the security world refer to as a Preventative control). Other appropriate physical security controls include video cameras, badge access systems, and keeping expensive equipment from easily being seen through a window.
2) Backup Media
SMOs are much better at ensuring that their servers are backed up regularly than what I experienced 10 years ago, and a surprising number are still using tape-based systems. A survey of SMOs conducted by Iron Mountain in 2013 indicated that 94% use or plan to use tape as a backup medium. If you are one of those, you may be placing false confidence in your media. Tapes deteriorate over time, especially when they are not stored in proper environmental conditions. The must also be cleaned and retensioned periodically, and easily located when you need them (and preferably NOT in the same building as your systems). They should also be spot checked periodically to make sure the data is readable.
3) Loss of a Key Staff Member
Many SMOs have a key tech staff member who has been there since the dawn of time, and he/she probably has a bunch of important details impacting operations in their head. If they leave, or worse get hit by a bus, you may be sunk. I had lunch yesterday with the CEO of a software company, and we discussed a particular employee with a great deal of critical company information stored in his head. The CEO had wisely made documentation of these key details part of his compensation plan. If you have such people, they need to write it all down, starting today!
4) Insider Attacks
Much attention is paid to security threats from outside a company, and that is as it should be. Many threats come from inside however, often from IT employees with an axe to grind. They can sabotage your systems, sell your data, and generally make life miserable. It is important to background check your key employees. For IT people, I generally recommend that the check be updated at least every two years. Other approaches to minimizing threats from internal risks include separation of duties, granting the least possible privilege to each employee, job rotation, and independent monitoring of security logs.
A related risk comes from terminated employees. Many organizations, large and small, fail to promptly remove access privileges for a departed employee. Even if the departure was amicable, it is critical that such access be removed immediately upon termination.
5) Internet Bandwidth and Reliability
Most businesses today use at least some Internet-based systems to run their companies, and a growing number use such systems exclusively. We also live in a age where "cloud" is no longer an atmospheric feature, but rather a major Internet resource. Many organizations are now discovering that if their Internet service is not reliable or fast enough, their operation can quickly grind to a halt. If your organization has major Internet dependence, Internet redundancy is a necessity.
Unless your business is farming, I am not referring to the tall structures used to store grain. Rather, this refers to departments within an organization that bypass IT and choose their own systems and vendors, often because the IT department is unable or unwilling to address their needs (yes, we IT folks can be a bit stubborn). This strategy works fine until the inevitable need to integrate systems occurs. If integration was not a part of the original selection process (and it likely was not), this task can be difficult or impossible. I recently purchased a pool slide. The vendor had to process the order through one system, and then re-enter everything into a second for inventory control. This increased their costs and my frustration. Integration is critical to efficiency, so software purchases need to be considered from a corporate perspective. IT needs to be equipped and encouraged to meet such needs up front.
7) Black Box Code
If your organization has been around for some time, and your systems run using custom programs, you may have "black box code". This term refers to programs written years ago that nobody on the current staff knows how to maintain. This was a particular issue during the time immediately prior to the year 2000, brining many programmers of antique languages back out of retirement. Take a hard look at any custom code you use to run your business, and make sure you have a specific plan in place to fix and maintain it.
8) Staff Security Training
This may be one of the most overlooked risks in corporate America today. Employees need to be trained on basic security practices and company security policies (and if you have no such policies, you have another problem to address). Such training is required as part of many compliance standards, but is important for everyone. It is not sufficient to do it once and move on, or to send it out in a written document. It should be conducted on a yearly basis, and immediately to new employees. Such training is best either using a live trainer, or a computer-based course, with quizzes and completion tracking.
In summary, risk management is difficult, and the stakes are high, in many cases as high as the failure of a business. Risk management demands attention, and it will get it, one way or the other.
Given how important we at togoCIO consider risk management, we are offering a free written assesment of current risk management preparedness for local organizations. We will spend up to 2 hours doing an onsite assessment and producing a detailed written report, helping you to easily identify unaddressed risks. Click here for more information.