Businesses must put the right security and processes in place to remain safe and sustainable, particularly in today’s changing business environment. There are many factors to consider from a risk perspective, and getting it right is critical. However, these steps do not require complex solutions in all cases, just diligence and attentiveness to the risks.
Michael Shatter, Director, RSM Bird Cameron said, “The events of the global banking crisis and recent cybercrime events demonstrate that it is vital for organisations to identify threats early and respond appropriately. The key is to balance risk and control to enhance the value that organisations can deliver to stakeholders.
“Furthermore, organisations need to stay at the cutting edge of technology risk management since risks are constantly evolving. Support and guidance can make the challenges manageable.”
Sue Wilkinson QPM, Head of the Olympic Intelligence Centre (OIC) for the London 2012 Olympic and Paralympic Games, highlighted the importance of security and robust processes at a recent Women on Boards event hosted by RSM Bird Cameron.
Sue Wilkinson said, “The OIC was responsible for ongoing strategic risk and threat assessments on which the safety and security program for the Olympics was built. The unit delivered strategic and tactical intelligence assessments on the identified threats up to three times daily during the Games.
Sue Wilkinson identified two key things organisations must consider when it comes to risk management:
1. Every organisation should undertake a strategic risk and threat assessment as early as possible and constantly review the findings.
Sue Wilkinson said, “The security program for the London Games was designed seven years prior to the commencement of the Games and before the winner of the host country was announced. It was therefore able to grow and adapt organically as time passed. Organisations should invest sufficient time and resources in this process, and give it the attention that it deserves.”
2. Organisations should invest appropriately in the plan to address the findings from the risk and threat assessments.
Sue Wilkinson said, “Boards should ensure that there is ongoing and persistent testing and exercising of the controls put in place to mitigate the risks that their organisations are facing. The OIC found that every test carried out threw up something new. These findings were acted upon, and the controls were subjected to further testing and exercising. This cyclical process of testing, exercising and revising is critical to ensure that organisations are well prepared in dealing with the risks and threats as they arise.”
RSM Bird Cameron suggests a three step process to improved IT security risk management:
1. Perform an IT audit – Identify and understand the risks An IT audit can help reveal the risks that can jeopardise the security, availability and integrity of data as well as the performance of business systems. Importantly, it can also measure the effectiveness of existing processes and controls, then assist in formulating a plan to mitigate and manage the risks.
2. Secure your network – Ensure security risks are mitigated Securing the network is essential and a key objective includes everything from having appropriate firewalls and anti-virus products in place to educating all users about the risks of cybercrime. Adequate protection includes monitoring, incident management and policy-setting. It’s critical to remember that a large percentage of data breaches and IT security breaches do not originate from external technical intrusions of an organisations systems. Rather, human error and internal weaknesses also contribute to many IT risks.
3. Have a comprehensive disaster recovery plan in place – Be prepared to react if a security event causes a major IT disruption Most companies understand the importance of a comprehensive disaster recovery plan but not all of them have implemented a plan that is fully up-to-date, reliable and appropriate for their needs. An effective disaster recovery plan must include IT failovers as well as processes and procedures to follow in event of an emergency, including who to call and when to call them. Most importantly, update the plan and test its effectiveness.
4. Consider alternate approaches – A fresh perspective can help While your organisation may already be conducting security testing, sometimes a new perspective and approach can help ensure organisations are getting the most value from their investments. Organisations need to put as much effort, or more, into properly hardening their internal environment as they do their external environment. For heavily regulated entities, this approach is mandated by regulators and auditors, and it is seeing a much higher rate of enforcement as a result of the number of recent significant data breaches. For non-regulated entities, concerns about protecting intellectual property, corporate bank accounts, customer credit card numbers and other types of sensitive data have to be regarded as an enterprise-level risk. Unfortunately, a data breach only requires one mistake or one unpatched vulnerability to potentially wreak havoc on the network. This means that periodic testing of network security is no longer optional.
Michael Shatter said, “For example, working closely with US firm, McGladrey, RSM Bird Cameron is making available a new security testing approach using Nomad Security Testing Appliances, to its clients. The Nomad is a new form factor that provides an easy and portable means of performing simple to complex security testing of a client’s networks and systems. The unique element is that this security testing solution allows RSM Bird Cameron’s skilled security team members to remotely perform testing on companies’ internal environments as if they were on-site using traditional methods.”