1.Not having a comprehensive approach to the problem.
In other words, if you’re only preparing your IT security team to address IT security risk issues, your approach is all wrong. IT risk management should be an organizational effort, and should involve the general council, CEO, chief information officer, chief technology officer, chief information security officer, and anyone else who plays a role in information technology or risk management. When you have the right people involved in the process, you’re far more likely to have an organized response to a cyber security issue. This also allows for a more streamlined risk-reporting process that goes through ground-floor IT managers and up through the C-suite.
2.Failing to prioritize material IT risk.
Many organizations focus only on protecting data that they’re legally bound to protect, like personally identifiable information (PII). After all, that seems to be what most “bad guys” are after, right? Not quite.
Hackers don’t just steal credit card information—they can, and do, go after many different types of valuable data. As we mentioned earlier, the loss of highly sensitive data doesn’t just harm a company’s reputation—it could be a complete competitive disruption, and result in irreversible damage.
For example, let’s say the trade secrets I’m using to develop my next widget wind up in the hands of someone with ill intentions. Now, I’m at a major competitive disadvantage. I’ve spent tons of time and money making my product (and the processes by which the product is created) unique, and now someone has those secrets. And I have no idea what they’re going to do with them.
The question you’re probably asking is, “How do I know what to protect?” And that’s a great question. The answer is that companies most protect what is most valuable to them. Sometimes, that’s not PII—rather, it’s the special “thing” that makes them who they are. Keep in mind that an IT security team isn’t necessarily the right team to identify what your most important data is—which is why you should involve your entire organization, like we mentioned in “Mistake #1.” If you have your entire organization working to protect this special trade secret or intellectual property, then you ensure that the people involved with your “secret sauce” are fully vested in its protection and security.
3.Not identifying the right threats.
If your IT team thinks the only way your data can be compromised is by a loophole in your network, think again. Actually, many of the most highly publicized data breaches are made possible when a vendor with heavy access to your data has a loophole in their security. Attacks can also happen when you receive third-party hardware or software that has been compromised.
To manage these risks, you need to develop supply chain risk management and vendor risk management programs. (If you’re unsure where to start with vendor risk management, check out 10 Vendor Risk Management Questions You May Be Too Scared To Ask.) Planning for the possibility of a third-party driven security breach—either through your network, your vendor’s network, or your software or hardware—will give you the peace of mind (and a plan of action) you need should you encounter an issue.
4.Failing to understand the risk that insiders pose.
There are three primary methods through which your IT security can get hacked: remotely, through the supply chain, or by insiders.
Edward Snowden is a recent example of an individual with access to a great deal of data who ended up causing catastrophic damages. When individuals in your organization are given access to privileged information or vital data, there are several steps that should be taken to monitor and observe their behavior. The loosely defined steps would be as follows:
Find out what every employee has access to, and determine whether it’s necessary for each of them to have that level of access.
Limit access to those who have it unnecessarily.
Closely monitor those who have necessary access to highly sensitive data and information.
5.Not meeting fiduciary responsibility.
When a security breach takes place, it doesn’t just affect your IT department—it can affect finances, regular operations, legal obligations, and more. So if you aren’t ensuring that your organization is acting in good faith and as a good steward for investors, shareholders, and stakeholders, you’re making a grave mistake.
Legal: Organizations care about preventing individuals with malevolent intentions from breaching their network and causing harm. To that end, organizations need to ensure that they’re taking every measure possible to protect their data and the data they may be housing of others.
Financial: Every organization owes a fiduciary duty to their shareholders. So if an organization doesn’t take the aforementioned measures to protect their data and their data is compromised, people will lose money. This must be avoided at all costs.
Operational: CEOs, board members, and general councils must have a heightened level of scrutiny for IT security risk. It’s vital that the higher-ups of every organization are ensuring that the right security measures are deployed, the right people are monitoring risk, the right employees are trained about “if/when” situations, etc. These C-suite members play an important role in closing “risk loopholes” for the future.
It’s important to note that IT security risk is legal risk. Aside from federal and industry-driven laws and regulations that a company may be bound to, there are broader responsibilities that every company needs to comply with. If organizations fail to meet these expectations, they will violate their fiduciary duty (and will probably end up in even more trouble).
*If you walk away from this article understanding just one thing, let it be this:
IT risk management isn’t just about protecting technology; it’s about protecting your entire business process.
If you heed the warnings we’ve outlined and work to fix any of these five mistakes that you may be making, we’re certain that the risk your organization is facing will be far less.