{"id":594,"date":"2016-07-21T04:40:38","date_gmt":"2016-07-21T04:40:38","guid":{"rendered":"http:\/\/it-toolkits.org\/blog\/?p=594"},"modified":"2016-07-21T04:40:38","modified_gmt":"2016-07-21T04:40:38","slug":"the-5-mistakes-you-may-be-making-with-your-it-risk-management","status":"publish","type":"post","link":"https:\/\/it-toolkits.org\/Blog\/the-5-mistakes-you-may-be-making-with-your-it-risk-management.html","title":{"rendered":"THE 5 MISTAKES YOU MAY BE MAKING WITH YOUR IT RISK MANAGEMENT"},"content":{"rendered":"<p><strong>1.Not having a comprehensive approach to the problem<\/strong>.<\/p>\n<p>In other words, if you\u2019re only preparing your IT security team to address <a href=\"http:\/\/it-toolkits.org\/\">IT security<\/a> risk issues, your approach is all wrong<a href=\"http:\/\/it-toolkits.org\/\">. IT risk management<\/a> should be an organizational effort, and should involve the general council, CEO, chief information officer, chief technology officer, chief information security officer, and anyone else who plays a role in information technology or risk management. When you have the right people involved in the process, you\u2019re far more likely to have an organized response to a cyber security issue. This also allows for a more streamlined risk-reporting process that goes through ground-floor <a href=\"http:\/\/it-toolkits.org\/\">IT managers<\/a> and up through the C-suite.<\/p>\n<p><strong>2.Failing to prioritize material <\/strong><a href=\"http:\/\/it-toolkits.org\/\"><strong>IT risk.<\/strong><\/a><\/p>\n<p>Many organizations focus only on protecting data that they\u2019re legally bound to protect, like personally identifiable information (PII). After all, that seems to be what most \u201cbad guys\u201d are after, right? Not quite.<\/p>\n<p>Hackers don\u2019t just steal credit card information\u2014they can, and do, go after\u00a0many\u00a0different types of valuable data. As we mentioned earlier, the loss of highly sensitive data doesn\u2019t just harm a company&#8217;s reputation\u2014it could be a complete competitive disruption, and result in irreversible damage.<\/p>\n<p>For example, let\u2019s say the trade secrets I\u2019m using to develop my next widget wind up in the hands of someone with ill intentions. Now, I\u2019m at a\u00a0major\u00a0competitive disadvantage. I\u2019ve spent tons of time and money making my product (and the processes by which the product is created) unique, and now someone has those secrets. And I have no idea what they\u2019re going to do with them.<\/p>\n<p>The question you\u2019re probably asking is, \u201cHow do I know what to protect?\u201d And that\u2019s a great question. The answer is that\u00a0companies most protect what is most valuable to them. Sometimes, that\u2019s not PII\u2014rather, it\u2019s the special \u201cthing\u201d that makes them who they are. Keep in mind that an <a href=\"http:\/\/it-toolkits.org\/\">IT security<\/a> team isn\u2019t necessarily the right team to identify what your most important data is\u2014which is why you should involve your entire organization, like we mentioned in \u201cMistake #1.\u201d If you have your entire organization working to protect this special trade secret or intellectual property, then you ensure that the people involved with your \u201csecret sauce\u201d are fully vested in its protection and security.<\/p>\n<p><strong>3.Not identifying the right threats.<\/strong><\/p>\n<p>If your IT team thinks the only way your data can be compromised is by a loophole in your network, think again. Actually, many of the most highly publicized data breaches are made possible when a vendor with heavy access to your data has a loophole in\u00a0their\u00a0security. Attacks can also happen when you receive third-party hardware or software that has been compromised.<\/p>\n<p>To manage these risks, you need to develop\u00a0supply chain risk management\u00a0and vendor risk management programs. (If you\u2019re unsure where to start with vendor risk management, check out\u00a010 <a href=\"http:\/\/it-toolkits.org\/\">Vendor Risk Management Questions You May Be Too Scared To Ask.)<\/a> Planning for the possibility of a third-party driven security breach\u2014either through your network, your vendor\u2019s network, or your software or hardware\u2014will give you the peace of mind (and a plan of action) you need should you encounter an issue.<\/p>\n<p><strong>4.Failing to understand the risk that insiders pose.<\/strong><\/p>\n<p>There are three primary methods through which your <a href=\"http:\/\/it-toolkits.org\/\">IT security<\/a> can get hacked: remotely, through the supply chain, or by\u00a0insiders.<\/p>\n<p>Edward Snowden is a recent example of an individual with access to a great deal of data who ended up causing catastrophic damages. When individuals in your organization are given access to privileged information or vital data, there are several steps that should be taken to monitor and observe their behavior. The loosely defined steps would be as follows:<\/p>\n<p>Find out what every employee has access to, and determine whether it\u2019s necessary for each of them to have that level of access.<\/p>\n<p>Limit access to those who have it unnecessarily.<\/p>\n<p>Closely monitor those who have necessary access to highly sensitive data and information.<\/p>\n<p><strong>5.Not meeting fiduciary responsibility.<\/strong><\/p>\n<p>When a security breach takes place, it doesn&#8217;t just affect your IT department\u2014it can affect finances, regular operations, legal obligations, and more. So if you aren\u2019t ensuring that your organization is acting in good faith and as a good steward for investors, shareholders, and stakeholders, you\u2019re making a grave mistake.<\/p>\n<p>Legal: Organizations care about preventing individuals with malevolent intentions from breaching their network and causing harm. To that end, organizations need to ensure that they\u2019re taking every measure possible to protect their data and the data they may be housing of others.<\/p>\n<p>Financial: Every organization owes a fiduciary duty to their shareholders. So if an organization doesn\u2019t take the aforementioned measures to protect their data and their data is compromised, people will lose money. This must be avoided at all costs.<\/p>\n<p>Operational: CEOs, board members, and general councils must have a heightened level of scrutiny for <a href=\"http:\/\/it-toolkits.org\/\">IT security<\/a> risk. It\u2019s vital that the higher-ups of every organization are ensuring that the right security measures are deployed, the right people are monitoring risk, the right employees are trained about \u201cif\/when\u201d situations, etc. These C-suite members play an important role in closing \u201crisk loopholes\u201d for the future.<\/p>\n<p>It\u2019s important to note that <a href=\"http:\/\/it-toolkits.org\/\">IT security risk\u00a0<\/a>is\u00a0legal risk. Aside from federal and industry-driven laws and regulations that a company may be bound to, there are broader responsibilities that every company needs to comply with. If organizations fail to meet these expectations, they will violate their fiduciary duty (and will probably end up in even more trouble).<\/p>\n<p>*If you walk away from this article understanding just one thing, let it be this:<\/p>\n<p><a href=\"http:\/\/it-toolkits.org\/\">IT risk management<\/a> isn\u2019t just about protecting technology; it\u2019s about protecting your entire business process.<\/p>\n<p>If you heed the warnings we\u2019ve outlined and work to fix any of these five mistakes that you may be making, we\u2019re certain that the risk your organization is facing will be far less.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1.Not having a comprehensive approach to the problem. In other words, if you\u2019re only preparing your IT security team to<\/p>\n","protected":false},"author":1,"featured_media":595,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-594","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it-risk-management"],"_links":{"self":[{"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/posts\/594"}],"collection":[{"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/comments?post=594"}],"version-history":[{"count":0,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/posts\/594\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/media\/595"}],"wp:attachment":[{"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/media?parent=594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/categories?post=594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/tags?post=594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}