Ever since the digital revolution, organizations have been becoming increasingly dependent on information technology. This growing dependence on technology and information systems means that any incident that compromises IT in any way can have adverse impacts on the organization's business processes and consequently on its business value.
Therefore, every organization needs to be able to identify, assess, and manage the risks to their IT systems to ensure continuous technical support to their business operations and preserve the organization’s business value.
To help you get started, this blog post aims to give you a clear understanding of IT Risk Management, types of IT risks, and risk management processes and methodologies.
What Is Meant By IT Risk Management?
IT risk management is the process of managing the risks associated with the operation, ownership, or involvement of information technology within an organization. IT risk management is a subset of enterprise risk management and involves the application of risk management methodologies to manage IT risks.
How Do You Define IT Risk?
IT risk can be defined in one of the following ways:
The product of the probability of the occurrence of an IT-related event and its predicted impact on the organization.
The product of the asset value, the organization's vulnerability to that risk, and the threat it poses to the organization.
Why Do You Need To Manage IT Risk?
The process of IT risk management allows organizations to balance the economic and operational costs of technology, especially security, that support the organization’s business operations. It encompasses the risks, both negative and positive, i.e. those that negatively impact the business value as well as those that provide a possible positive impact.
What Are The Types Of IT Risk?
There are a variety of ways for categorizing IT risk. Here is a simple way of categorizing risk based on its nature:
1. Physical Risk
Risks emanating from physical threats rarely come to mind when talking about IT. However, all your software, applications, and security systems would come to naught if an intruder were able to simply walk into your server room and plug in their infected thumb drive.
Here are a few examples of physical threats:
Physical access to critical equipment such as servers, routers, switches, etc.
Theft or loss of devices such as hard drives, laptops, smartphones, etc.
Sabotage of physical infrastructure such as servers, network equipment, etc.
Physical damage to infrastructure from natural disasters such as fires, or floods.
2. Electronic Risk
Electronic risks come from criminal threats such as hacking, malware infection, cyber-espionage, etc. usually the goal of such threats is to exploit vulnerabilities in your computer systems to gain illicit access to or to compromise devices such as computers, mobile phones, etc. In most cases, these actions are financially motivated.
3. Technical Risk
Technical risks arise from software bugs, components, or system failure. Examples of technical risks range from hard disk crashes to unplanned network outages to internet outages. Such failures leading to loss of functionality, loss of application, or complete loss of operations can be catastrophic for any organization from financial and reputational perspectives.
4. Human Risk
For most organizations, risks from human error are usually the most critical. Accidental or intentional errors, misconfigurations, deletion, and failure to follow procedures are far more common than external threats from cyberattacks. In fact, organizations nowadays are highly vulnerable to insider threats and need more attention than is traditionally given to them.
How Can You Manage IT Risk?
The risk management process consists of the following four steps:
1. Risk Identification
The first step in risk management is to identify the possible risks that an organization is exposed to in its operating environment. In simple terms, you need to ask what can possibly go wrong?
When we ask what can go wrong with respect to IT, our thoughts are usually directed towards external threats such as hacking, ransomware, denial of service (DoS) attacks, etc. However, external threats are able to negatively impact the operations or assets of an organization only by exploiting internal vulnerabilities.
There is no way of escaping vulnerabilities as they exist in the design, implementation, configuration, operation, management, procedures, as well as administration. Vulnerabilities are regularly found even in all major operating systems such as Windows, macOS, and Linux. To make matters worse, as our technology landscape changes, new vulnerabilities keep popping up.
The only way of safeguarding against vulnerabilities is to continuously monitor your systems and identify them before they can be exploited by external threat actors. Vulnerabilities can be identified through security audit reports.
Identifying vulnerabilities takes you from asking what can happen to what is likely to happen and that takes you a step closer to effective IT risk management.
2. Risk Analysis
As we mentioned earlier, risk is calculated as:
Risk = Likelihood x Impact
So the second step of the process is to calculate the impact of the threat or vulnerability. In order to gauge the impact of an event, we need to determine its scope, i.e. the business functions, the risk affects, and its severity. For example, loss of application for a single user may be a minor inconvenience but the loss of application for the entire business can mean serious financial loss.
Financial loss is not the only negative impact that an organization can suffer. Intangible damage such as loss of reputation or trust can be far more critical for business continuity. However, attaching a monetary value to each risk enables you to objectively prioritize which risks to mitigate first.
So, in this step, you will calculate risk, attach a monetary value to each risk, and then prioritize the risks based on their impact, i.e. monetary value.
3. Risk Treatment
Risks can be treated in one or a combination of the following ways:
1. Avoidance
Risk avoidance means choosing not to undertake certain activities that pose risks deemed too high to justify the cost of treating the risk. Avoiding risks is a common business strategy that limits an organization’s exposure to certain risks. For example, a policy against BYOD (bring your own device) helps your organization avoid data privacy and security risks associated with it.
2. Mitigation
Risk mitigation is the process of reducing the impact that an event will have if it does occur. Its goal is to manage risks that cannot be avoided by taking steps to reduce the adverse impact of an event before it occurs and creating a plan to deal with the aftereffects after the event has occurred.
For example, by having a secondary backup ISP (Internet Service Provider), your organization can mitigate the risk of loss of access to applications caused by an internet outage. If your primary ISP goes down, your network will failover to the secondary and allow business operations to continue functioning without any severe impact.
3. Retention
Risk retention means accepting that the risks associated with an activity are part of doing business and that its benefits outweigh the potential harm. It may also be that your organization accepts certain risks for the time being while other more critical risks are being mitigated.
Risk retention assumes that sporadic and small risks, that are not catastrophic or otherwise too expensive, are worth retaining and will be dealt with if and when they arise. For example, hard drives have an annualized failure rate of 1.01 percent. So, when you buy a hard drive, you accept the risk since the benefits of running your server outweigh the risk of hard drive failure.
4. Transfer
Risk transfer means moving the responsibility of bearing the adverse impact of an event to a third party. An example of transferring risk is purchasing insurance against a natural disaster. This transfers the financial cost of damage to your infrastructure due to floods, fires, etc. to the insurer.
4. Risk Monitoring
As the business environment and technology landscapes change, the risks that an organization is exposed to also change. Additionally, internal changes to the business model, processes, tools, applications, etc. also impact the risk exposure of an organization. Therefore, it is important to monitor risks and iterate through the identification, analysis, and treatment of risks regularly.
What Are Common IT Risk Management Methodologies?
There are a number of different methodologies for managing IT risks and the following are the most common ones:
NIST SP 800-39
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39 is a guide that provides organizations with a structured, yet flexible approach for managing information security risk. It provides guidance for the implementation of an integrated, organization-wide program for managing information security risk to operations or assets resulting from the operation of information systems.
NIST SP 800-39 describes a broad-based approach while the details of assessing, responding to, and monitoring risk on an ongoing basis are drawn from other supporting NIST security standards and guidelines. The security risk management guidance provided in NIST SP 800-39 does not replace the Enterprise Risk Management (ERM) program of an organization, rather it is complementary to it and should be used as part of a more comprehensive ERM program.
ISO/IEC 27005
The International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27005 is another framework that provides guidance for information security risk management. It builds on the concepts specified in ISO/IEC 27001 and is designed based on the risk management approach.
It provides guidelines for establishing a systematic approach to information security risk management that identifies organizational needs regarding information security requirements and creates an effective information security management system. Moreover, it also helps organizations prioritize risks and undertake suitable actions to mitigate them.
Whichever methodology you adopt, the end result will be that your organization will develop an organized set of policies, procedures, and tools that drive effective information security risk management.
Conclusion
Every organization faces risks, however, the born-digital organizations of today are at even greater risk owing to their complete dependence on technology and information systems. Effective management of IT risks is therefore essential not only for effective operations of IT systems but also for business continuity.
Managing IT risks presents a serious challenge to organizations due to the rapidly evolving nature of technology and business environments. But with a scalable framework that can be implemented gradually, your organization will not be burdened suddenly and can create an effective IT risk management system iteratively.
Are you satisfied with your organization’s awareness and management of IT risks? Does your organization have an IT risk management system in place? Reach out to us by clicking the button below to find out how we can help you manage risks, improve security, and achieve compliance.
If you liked the blog, please share it with your friends