In a series of 3 blogs, Nick Denning, CEO, Diegesis looks at the risks faced by organisations managing and operating complex enterprise IT systems.
In the first blog Nick outlined how to analyse and categorise risk. In this second Nick identifies the practical steps to identify and mitigate the different types of risks faced by organisations today.
Few organisations are exactly where they want to be in terms of enterprise IT solutions to support their business. Today many businesses are looking to modernise their mission critical applications while creating a path to migrate these systems to the cloud – without throwing away years of IT investment or exposing themselves to security and data protection problems. A full understanding of the risks involved is necessary to create the right strategies to monitor and manage risks related to enterprise IT systems.
Where to start? Review your critical IT systems
What questions should be asked when reviewing IT systems? The first should be “do we even have the inhouse skills to perform such a review?”. The organisational challenge is to ensure that the reviewers are supported to perform reviews with integrity and candour. A culture of “shoot the messenger” is unlikely to produce useful results.
Another option is to use external consultants to perform some of the work, with a hybrid approach perhaps preferable. Carry out a review based on the 80:20 rule. In most cases it is possible to discover 80% of what is needed to be known for 20% of the proposed cost of the exercise. Then bring in external experts if necessary. The system requirements and issues identified can be categorised as ‘Must’, ‘Should’ and ‘Could’. We can then focus on the most critical issues first.
Help is at hand
There are some readily available, well respected frameworks which can provide structure for IT reviews. Probably the best place to start is assessing the level of IT security risk in your organisation using the Cyber Essentials frameworks provided by the National Cyber Security Centre (NCSC). Its website provides a freely downloadable spreadsheet of the questions you need to consider in system reviews. Five broad system security controls are covered:
- Secure configuration.
- User access control.
- Malware protection.
- Patch management.
The NCSC site also offers advice on how to address data protection issues. Non-compliance with data protection rules (GDPR) can be an additional major risk to an organisation and also needs to be treated seriously as large penalties could result if data breaches occur.
There are many consultancies that can assist with the risk management around two of the most common topics of concern for organisations – HR and Health and Safety.
Secure By Design
Organisations involved in designing systems for the public sector must meet government standards for Security by Design to ensure the data is safe from criminals or rogue states. Details of these standards can again be found on the NCSC site. The challenge of course is to ensure compliance for existing systems which were designed before these principles existed. A useful standard for reviewing and writing secure programs is the OWASP standard. This can be used when maintaining and evolving current systems.
Ask searching questions
An organisation should ask itself searching questions – what could go wrong and if it did how would we deal with it? Murphy’s law states, “If it can go wrong it will”, with the follow up “Murphy was an optimist”.
Perhaps the most important areas to question are:
- What does each business area consider are the greatest threats to business? Where are these documented and what are we doing to manage them?
- Is what we do written down to the level of quality that anyone could read our documentation and restart our business?
- When was the last system backup taken, and when was the last test that we could recover from a backup? How long would it take for us to be back in business after a failure?
It’s important to ask and answer such questions – but it’s also key that evidence is provided and recorded to back up the answers, rather than things being taken on trust. Asking open-ended questions that cannot be satisfactorily evidenced will differentiate between not competent, ambition to do well in the future, and being effective today This will guide us on where to focus.
It is important to apply this rigorous questioning to establish our shortcomings and motivate employees to strive to meet professional standards and operate legally especially in areas such as:
- Meeting our GDPR obligations regarding data privacy and protection.
- Maintaining our brand reputation.
- Ensuring our infrastructure meets required levels of integrity and can be recovered from any failures that might occur.
- Ensuring we have the appropriate staff to operate our business.
Do yesterday’s plans still apply?
Over the last decade, many large and medium organisations may feel that they have addressed major risk areas and created comprehensive plans which are sitting on the shelf waiting to be actioned if needed. But in IT there is constant evolution. Cumulative changes and unexpected combinations of solutions can drastically affect assumptions and plans.
For example, the topic of business continuity and disaster recovery is classic in illustrating the need for change. 15 years ago a multi-million £ alternative data centre together with provision for temporary office space might be the essential framework for BC/DR. Now Office 365 and AWS plus the lessons from successful home working facilitated by Teams and Zoom during the pandemic, provide the potential to enable us to rewrite these plans and drive down operational costs.
More than ever though we need to understand what we do and be able to manage change and the risks associated with it. As we evolve we must ensure that we understand what we might discard or what might be lost or broken so we are correctly managing the risks to our business when implementing change.
Today’s critical cybersecurity risks
Too often the response to cybersecurity risk is a head in the sand, “That won’t happen to us” attitude – but unfortunately it does. The sophistication of attackers continues to evolve and where they find a successful target they regularly repeat the attack.
These are the top three cyber-security risk areas currently impacting organisations:
- Ransomware. This attacks systems by employees being tricked into downloading software into the organisation that encrypts and locks its data. The data is then lost until payment for the decryption key is made. Regular backups can mitigate against ransomware as systems can be rolled back.
- Mandate fraud. Employees are misled into paying money to criminals. Examples include fake emails from senior management persuading employees to pay money to a third party, or when the finance team are tricked into changing the bank details of a supplier to those of the fraudsters.
- Theft of commercial data by employees intending to leave the company.
Utilise the IASME framework for Cyber Essentials or the more rigorous ISAME governance. Do the simple things immediately and then develop your defences over time. The most vital starting point is staff awareness and training. Untrained staff provide the most significant area of vulnerability and point of attack.
Benefit from the cloud
Using cloud based systems can significantly improve protection. Cloud vendors such as AWS, Google and Microsoft have invested in strong security that few organisations can replicate and have then delivered solutions that implement these high standards of security.
Vendors deploying into these infrastructures are obliged to adopt these security features and hence should be more secure than vendors hosting their own platforms; have higher availability because of the reduced risk of network outages; and offer sophisticated Business Continuity/Disaster Recovery capabilities.
An organisation’s security is likely to be enhanced where they can change from legacy solutions and adopt these secure cloud solutions, for example in the areas of:
- Hosted email
- Online banking and payments
- Accounting systems.
Even the smallest start-up has the capacity to deliver more secure offerings based on an enterprise strength infrastructure at low cost by comparison with developing and maintaining the same architectures on premise.
Using virtual terminals mean that a desktop or laptop computer is essentially a dumb terminal to a virtual machine in a cloud data centre, meaning no data is stored on the local device. This reduces the risk of corruption via malware, or losing data on an unencrypted disk. However these benefits can come with a cost challenge. Every feature and function seems to be an additional £x/person/month. Costs can mount up but can be clearly measured.
Understand the cost of action… and of inaction
The reason for inaction to implement risk management is often because the costs are hidden. There are many examples of organisations running systems on old versions of unpatched operating systems that were highly vulnerable and thus wide open to attack. The analysis associated with risk management should help identify these old systems, enable alternative defence strategies to be put in place and help an organisation understand where its risks and costs are so that it can reduce both with that benefit flowing directly to the bottom line.
Risk management analysis may well identify very poor and insecure systems that represent huge risk to a business that has not been historically reported to the board as it should have done. It provides a blunt instrument of justification that obliges the spending of money to bring back some semblance of protection. The great benefit will be if the security threat energises the adoption of effective risk management to contain the costs of security and in so doing puts in place a risk management discipline that will generate benefits to the bottom line.
Cloud adoption can help mitigate many risks. Creating a plan that includes cloud solutions together with comprehensive employee awareness and training programmes will help address a large proportion of an organisation’s biggest IT risk areas.
Enterprises have spent years, in some cases decades, developing their data intensive enterprise applications. The ability to preserve software investments is critical – while meeting evolving business needs but emerging threats have not always been addressed. In this second article in the series of three we’ve looked at questions and frameworks which will help identify key risks to help build effective strategies. The final article will offer a template to help plan for change.
Nick Denning is CEO of Diegesis Limited, a business technology and IT systems integration company. Nick is an acknowledged expert on risk management and relational database technologies. To read the first blog and for more information visit www.diegesis.co.uk