Recently, during a company’s computer system upgrade, hackers broke in, cracked the passwords of nearly 13,500 of the company’s 15,000 employees, and set themselves up as super-users. They altered the company’s bonus checks by moving decimal points over one space, making a $5,000 bonus check even sweeter – $50,000. Not surprisingly, top management was not pleased.
Luckily for company executives, this real-life scenario happened as part of a technology risk assessment conducted to uncover system vulnerabilities so risks could be mitigated before an actual loss occurred. Not every company is lucky enough to avert disaster, but more could if they simply performed annual technology risk assessments.
In today’s regulatory environment where Sarbanes-Oxley and other legislation have highlighted the need for effective risk management, it is clear that Nevada companies would benefit from adopting a proactive approach to technology risk. Similar to scheduling routine tune-ups for a car or physicals with a doctor, regularly scheduled technology risk assessments can update risk management plans to monitor progress of the enterprise’s overall technology risk management program.
A technology risk assessment provides company executives with an independent, business-oriented outside perspective of IT risk. It prioritizes the high to medium risks that need mitigation and explains a company’s risks in “plain language” without technical jargon. This helps senior management understand and prioritize IT risk spending and determine the quality of its IT operations – allowing senior management to sleep at night.
Effective technology risk assessments identify the business processes with the highest risk and then rank the potential business losses caused by technology’s failure, destruction or exposure of sensitive information.
The following steps will help integrate a technology risk assessment into a company’s business model:
• Identify and confirm business processes, risk areas and scoring thresholds.
• Gather perceptions on risk significance.
• Prioritize risk areas based on threat/security.
• Given the consequence, identify management’s tolerance.
• Evaluate the capabilities (culture, organization, policies, processes, systems) to manage the desired tolerance.
Network vulnerability scanning should also be a part of a thorough risk assessment. Typical technology risk assessments use top-down methodology, where network vulnerability scanning is bottom-up work. While scans and risk assessments might seem incongruent, scans provide a very good view of how well security and configuration management controls are maintained in key parts of the infrastructure.
In the future, Nevada business owners will increasingly rely on technology risk assessments to better defend themselves against emerging threats from hackers, saboteurs, accidental disclosures and automated identity theft. As technologies rapidly advance, so too should a company’s defenses, and a technology risk assessment is the first step in that direction.
A Technology Risk Tune-Up
Consider the following questions to evaluate your company’s IT operational processes.
• Are operational duties segregated so technologies are accepted into production with risks addressed?
• Are monitoring duties clearly defined, and do they include tools and processes commensurate with the risks they’re supposed to address?
• Does the organization emphasize monitoring high-risk components such as the security perimeter?
• Are other high-risk components such as databases monitored for access attempts?
• Is sensitive data routinely encrypted before sending it off site? Are the encryption keys properly managed?