Vendor Risk Management

The 5 Mistakes You May Be Making With Your IT Risk Management

Melissa Stevens | July 14, 2015

In business and in life, safety is always made a priority. From simple day-to-day tasks like wearing a seatbelt, to important business security decisions, prioritizing our safety and the safety of our families and valuable information is of utmost importance. But this process isn’t always easy. It seems like there are new security threats, from computer hackers and otherwise, that force us to find new ways to protect ourselves on a near-constant basis.

One of these security issues that has come to light in recent years is IT risk. Though IT risk has historically been discussed only as the hardware and software side of things, it entails much more than that. Think of it this way: Companies use hardware and software to do things. If some of their hardware and software is tampered with, stolen, or otherwise compromised, the company could take a major hit, but the value of the company will remain in tact. For example, if I’m on Coca Cola’s executive team and someone hacks our system and doesn’t allow me to pay any of my employees, that’s really going to be a problem. But, even though we’ll have a frustrated workforce, the value of our product will remain in tact.

But, if someone with ill intentions finds a way to hack into an organization’s hardware or software and steal or manipulate sensitive data, then that’s a whole different issue entirely. If my department is housing a trade secret by which the entire company infrastructure relies upon—i.e., if I am tasked with protecting Coca Cola’s recipe, and it’s stolen from me via a cyber attack—the foundation on which the organization is built could suffer dramatically.

So as you can tell, IT risk management is incredibly important. So if you’re wondering how you’re supposed to cover all of your IT risk management bases, you’ve come to the right place.

We’ve outlined five critical mistakes you may be making in regard to your IT security, so you can work to identify and protect the holes in your security infrastructure. Let’s take a look.

The 5 Mistakes You May Be Making With Your IT Risk Management

Mistake #1: Not having a comprehensive approach to the problem.

In other words, if you’re only preparing your IT security team to address IT security risk issues, your approach is all wrong. IT risk management should be an organizational effort, and should involve the general council, CEO, chief information officer, chief technology officer, chief information security officer, and anyone else who plays a role in information technology or risk management. When you have the right people involved in the process, you’re far more likely to have an organized response to a cyber security issue. This also allows for a more streamlined risk-reporting process that goes through ground-floor IT managers and up through the C-suite.

Mistake #2: Failing to prioritize material IT risk.

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark Many organizations focus only on protecting data that they’re legally bound to protect, like personally identifiable information (PII). After all, that seems to be what most “bad guys” are after, right? Not quite.

Hackers don’t just steal credit card information—they can, and do, go after many different types of valuable data. As we mentioned earlier, the loss of highly sensitive data doesn’t just harm a company's reputation—it could be a complete competitive disruption, and result in irreversible damage.

For example, let’s say the trade secrets I’m using to develop my next widget wind up in the hands of someone with ill intentions. Now, I’m at a major competitive disadvantage. I’ve spent tons of time and money making my product (and the processes by which the product is created) unique, and now someone has those secrets. And I have no idea what they’re going to do with them.

The question you’re probably asking is, “How do I know what to protect?” And that’s a great question. The answer is that companies most protect what is most valuable to them. Sometimes, that’s not PII—rather, it’s the special “thing” that makes them who they are. Keep in mind that an IT security team isn’t necessarily the right team to identify what your most important data is—which is why you should involve your entire organization, like we mentioned in “Mistake #1.” If you have your entire organization working to protect this special trade secret or intellectual property, then you ensure that the people involved with your “secret sauce” are fully vested in its protection and security.

Mistake #3: Not identifying the right threats.

If your IT team thinks the only way your data can be compromised is by a loophole in your network, think again. Actually, many of the most highly publicized data breaches are made possible when a vendor with heavy access to your data has a loophole in their security. Attacks can also happen when you receive third-party hardware or software that has been compromised.

To manage these risks, you need to develop supply chain risk management and vendor risk management programs. (If you’re unsure where to start with vendor risk management, check out 10 Vendor Risk Management Questions You May Be Too Scared To Ask.) Planning for the possibility of a third-party driven security breach—either through your network, your vendor’s network, or your software or hardware—will give you the peace of mind (and a plan of action) you need should you encounter an issue.

Mistake #4: Failing to understand the risk that insiders pose.

There are three primary methods through which your IT security can get hacked: remotely, through the supply chain, or by insiders.

Edward Snowden is a recent example of an individual with access to a great deal of data who ended up causing catastrophic damages. When individuals in your organization are given access to privileged information or vital data, there are several steps that should be taken to monitor and observe their behavior. The loosely defined steps would be as follows:

  • Find out what every employee has access to, and determine whether it’s necessary for each of them to have that level of access.
  • Limit access to those who have it unnecessarily.
  • Closely monitor those who have necessary access to highly sensitive data and information.

Mistake #5: Not meeting fiduciary responsibility.

When a security breach takes place, it doesn't just affect your IT department—it can affect finances, regular operations, legal obligations, and more. So if you aren’t ensuring that your organization is acting in good faith and as a good steward for investors, shareholders, and stakeholders, you’re making a grave mistake.

  • Legal: Organizations care about preventing individuals with malevolent intentions from breaching their network and causing harm. To that end, organizations need to ensure that they’re taking every measure possible to protect their data and the data they may be housing of others.
  • Financial: Every organization owes a fiduciary duty to their shareholders. So if an organization doesn’t take the aforementioned measures to protect their data and their data is compromised, people will lose money. This must be avoided at all costs.
  • Operational: CEOs, board members, and general councils must have a heightened level of scrutiny for IT security risk. It’s vital that the higher-ups of every organization are ensuring that the right security measures are deployed, the right people are monitoring risk, the right employees are trained about “if/when” situations, etc. These C-suite members play an important role in closing “risk loopholes” for the future.

It’s important to note that IT security risk is legal risk. Aside from federal and industry-driven laws and regulations that a company may be bound to, there are broader responsibilities that every company needs to comply with. If organizations fail to meet these expectations, they will violate their fiduciary duty (and will probably end up in even more trouble).

In Summary

If you walk away from this article understanding just one thing, let it be this:

IT risk management isn’t just about protecting technology; it’s about protecting your entire business process.

If you heed the warnings we’ve outlined and work to fix any of these five mistakes that you may be making, we’re certain that the risk your organization is facing will be far less.

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark We've drilled down into areas that vendor risk management programs leave a little vague. 

Download the guide to see if you've considered these critical areas of vendor risk management.

  

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.

READ MORE »

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »

A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...

READ MORE »

Subscribe to get security news and updates in your inbox.