The threat landscape has changed
Threats to your business are not just local any more. The way we connect ourselves and our businesses through information sharing, the accessibility we enjoy through mobile technology and the ease by which people, products and information moves across borders creates vulnerability. International events in far off countries can affect a farming business in the U.S. Unrest in one community, region or nation can create downtime for thousands of businesses, which in turn affects the businesses/customers they serve.
Our information age, especially in the era of cloud computing and social sharing, has created new threats. Headlines from the past few years grab consumers attention when databases of trusted retailers are infiltrated by smart hackers looking to damage company reputations. Executives are put at risk when family and friends innocently post photos of themselves on vacation, little knowing that would-be assailants or thieves are monitoring their social feed for opportunities.
The new threats aren’t all new, they are just more connected. If a hurricane hits the Southeast coast of Florida and your business operates solely out of Seattle, you have little to fear…until you learn that the data servers your business relies on for all transactions are located in the storm’s path. Regional civil uprisings can interrupt the supply chain of a vendor, leaving you without key elements needed to create your products. Unfortunately, a non-holistic approach to security where each area focused only on its domain without considering impacts from outside that domain doesn’t protect your company like it once did.
Siloed approach to security & risk management doesn’t work
Operations are converging with information. Companies that still think of them separately face increased threats and risks. The reliance on information to make complex, mission-critical business decisions puts pressure on the security that protects that information. The problem arises when companies react to certain threats, focusing attention on those areas and defenses while leaving other areas unattended.
After the Enron scandal of 2001 when an energy trading company purposely mislead investors by hiding huge amounts of debt to inflate its stock price, many companies turned to Financial Risk services as a way to protect companies from these type of situations. When the tsunami hit Thailand in 2004, international attention was turned towards Disaster Preparedness and recovery. Recently, as more companies are hacked and customer information compromised, we see a hyper-focus on IT security. The issue is that too much attention on one siloed area of security & risk management without seeing how it affects the whole can lead to unintended consequences.
A holistic assessment: using the risk wheel
Looking at security & risk management holistically, meaning to take into account many facets of a company’s operation as they relate to each other, is a trend we hope will continue since it leads to more mitigation of risks. The siloed approach is akin to exercising only your legs and expecting your arms to be in shape too. Looking at your company’s security as a whole, with many parts that affect others, means that you can anticipate issues that could arise when one system deteriorates, even if temporarily, and how that will affect the other systems that depend on it.
Here’s an example: In a recent retail hack situation, the computer system that held customer information was accessed by thieves looking to steal the credit card numbers of millions of customers. The assumption by many is that they came in through an intricate computer program that bypassed many layers of encryption and firewalls. The reality is that someone at the physical site where the data storage servers were kept was bribed into allowing the hackers access to the building. What were the employment screening procedures in place when that person was hired? Was there a system of assessing personnel performance combined with peer interviews that might have indicated that those involved would be a risk? Was video surveillance in place? Was it working? When had it been last tested? These are the types of things we look for when doing a risk assessment of a business and we look for things outside one system that could directly impact others.
We created the Risk Wheel to help companies determine where to look for threats and risks. It also helps companies see how one area can affect another. The four quadrants represent a large number of security threats and the risks that are found within each.
Looking at your company’s operation and assessing where it is vulnerable across each of the quadrants will provide you with a holistic overview of your company’s security health and risk profile.
Where to start
How much risk are you willing to accept as part of doing business? That’s a good question with which to start. You cannot possibly protect yourself from all threats. But, you can assess what real risks are out there and which of them you are willing to accept. For example, if you operate a business in Southern California, which is prone to earthquakes, do you protect your company from a threat of a tsunami like the one in Thailand. It’s a threat but the risk seems minimal. Perhaps you accept that risk, and focus on other areas that need more immediate attention. Is your IT technology secure both from computer-generated violations but also from physical damage cause by weather, hazards or human involvement?
Gathering the main stakeholders, those people who have control over your company’s major operations, and hashing out what risk levels you can accept is a good first step. Benchmarking your company versus your industry is another, using an outside assessment agency that can take an objective look at your security & risk management policy while also bringing industry knowledge to the table.Paying attention to trends affecting your industry and the business community as a whole will help you anticipate issues your company could face. Staying abreast of current events, national and international, will arm you with knowledge that can help determine what risks may increase this year, next year, and beyond.
Taking a holistic approach to security & risk management is not a simple task, it is not easily done nor is it accomplished quickly, and is often not done. But changing the way your company thinks about security & risk management, putting more emphasis on the connections between your operations, will lead your company to minimize/mitigate risks more effectively in the long run.