Almost every organisation in the modern day relies on technology, systems and information in some way to support their business.
It is vital that a business applies the same level of scrutiny when assessing risks to their systems and information assets as they would when assessing risks with a material impact such as regulatory, financial or operational risks. This requires an appropriate risk management regime to be embedded across the business with active support from the board, senior managers and the governance structure.
It is important to define and communicate the business’s approach to risk management and boards may wish to communicate their approach and policies across the organisation to ensure that all employees and suppliers are aware.
Taking risks is inherent in business and allows us to create opportunities and deliver on business objectives. To ensure the successful operation of any organisation it must address risk and respond appropriately, consistent with the level or risk the organisation is willing to tolerate. If an organisation fails to manage and identify risk, it may lead to the following:
- Exposure to a high level of risk – If governance processes are ineffective the Board may not understand and manage the overall risk exposure of the organisation.
- Missed opportunities – If decisions with regards to risk are taken solely within a dedicated security function, rather than by the organisation as a whole, they may be motivated by achieving high levels of security and may result in missed business opportunities or incur additional cost.
- Ineffective policy implementation – If effective risk management processes are not in place the board won’t have the confidence that its policies are being applied correctly across the organisation.
How to manage security risk?
Establish a governance framework: A governance framework needs to be established to support a consistent approach to risk management across the organisation.
Define what risks the organisation is willing to tolerate: Agree the amount of risk you are prepared to tolerate when pursuing your objectives. Provide guidance on this to allow individuals within the organisation to make appropriate business decisions with regard to risk.
Maintain board engagement: The board should review any technology or systems based attack risks regularly. Risks resulting from such an attack should be recorded in the corporate risk register and reviewed regularly. Entering into knowledge sharing partnerships with other organisations can assist you in understanding and preparing for new and emerging threats.
Produce supporting policies: An organisation-wide policy for security and technology risk should be established and owned by the board to help communicate risk management objectives. This allows the risk management strategy to be set out for the organisation as a whole.
Adopt a lifecycle approach to risk management: Over time, technology changes and thus the threats and risks associated with it change as well. A through-life process needs to be adopted to ensure security controls remain appropriate over time as the risks evolve.
Apply recognised standards: Consider applying a recognised standard of security management good practice such as the ISO/IEC 27000 series.
Make use of endorsed assurance schemes: Consider adopting the Cyber Essentials Scheme. It provides advice on some basic mitigations that should be put in place to manage the risk of online attacks and provides a certification process to demonstrate your focus on cyber security.
Educate users and maintain awareness: All system users have a responsibility to ensure any security risks are managed. Providing suitable and regular training to users will assist in this. Encourage staff to share knowledge with their peers throughout the organisation.
Promote a risk management culture: Risk management needs to be in place throughout the organisation, driven from the top down with individual participation demonstrable at all levels of the business.
If you need help identifying and managing security risks in your business, contact KRYPSYS and ask to speak to one of our security experts https://www.krypsys.com/contact-us/