RiskTech Forum

3 Keys to Successful IT Risk Management

Posted: 19 October 2012  |  Author: Malissa Lundgren  |  Source: BPS Resolver


Cybercrime is a very real threat to businesses and government agencies across the globe. As companies and federal organizations increasingly rely on technology for tasks such communication and data storage, the risk of this data being compromised by unauthorized users rises exponentially.

A 2011 report from PricewaterhouseCoopers suggests cybercrime is now one of the top four economic crimes that can be committed against companies. A total of 40 percent of respondents also noted the impact of reputational damage that can scare away clients and affect the confidence of investors.

Despite the rising frequency of cyber attacks (34 percent of businesses were compromised during 2011, up from 30 percent in 2009), many companies still aren't taking the appropriate preventive action. Two in five respondents had not received any guidance on how to fortify their companies against cyber attacks, despite many of these crimes costing organizations upward of $5 million.

IT risk management is pivotal as more companies look to shore themselves against the growing threat of cyber attacks. Here are the three keys to better prepare IT risk management solutions:

1. Take a Broad Look at Potential Threats
As risk professionals create response plans to potential IT threats, they are likely to look at their ability to create stable, protected and recoverable technology infrastructures that are resilient against all sorts of cyber attacks. However, these employees also need to account for other threats that may only be tangentially related to their networks and data vaults.

For example, lack of extensive background checks could lead to companies hiring and employing people who may have sinister motives. Alternatively, sensitive information could be taken from employees who haven't been trained to recognize tactics cyber criminals use to breach systems.

"So many IT departments I see are really only managing IT perimeter risk, or data breach losses, but nobody's doing anything about intellectual property," Brian Barnier, a risk advisor with ISACA and principal analyst at ValueBridge Advisors, told CIO magazine.

2. Realizing IT is a Company-Wide Issue
Chief information officers (CIOs) are often thought of as being in charge of one specific responsibility: ensuring the integrity of their companies' information networks. The fact of the matter is that businesses – specifically those dependent on IT-driven processes – need to involve their CIOs as if they are key executives. The CIO often has access to mission-critical data that can impact other company decisions and should be regarded as highly as other executives.

3. Know your Business Better than the Attackers
Cyber criminals aren't just guys in masks who pick your business out of a hat. They research companies far in advance of planned attacks to identify weak points, operational procedures, valuable targets, etc. They need to know how your company works to best breach and compromise it. This is often why these cyber criminals strive to recruit someone from within the actual organization.

Risk managers need to be able to connect the various parts of business processes to points likely to be compromised. By understanding your vulnerabilities, you are in a better position to mitigate them.

The threat of cyber attacks is on the rise. By broadly looking at the effects of IT, treating IT risk management with the severity it deserves and identifying vulnerabilities quicker and more effectively than attackers, businesses can get on the right path to safeguarding themselves from this growing threat.