Security is a key issue for every business. Hardly a day goes by when we don’t hear about another industry disrupted for all the wrong reasons by opportunist hackers. The recent Wanna Decryptor/WannaCry ransomware that caused huge problems in the NHS is a good example of one way in which we are all very vulnerable to security risk: where technology is concerned, we can’t keep up.
Technology moves at breakneck speed
The WannaCry ransomware exploited a flaw in the Windows Server Message Block SMB protocol, which is used to share files between computers on closed networks. A patch was issued by Microsoft to correct the flaw but the biggest issue was that many of those affected had not installed the update and so remained vulnerable. As this shows, the speed at which technology moves means that it’s very easy to get left behind. In terms of updates, workforce education and training and even just an awareness of the latest developments and risks, we are often too slow on the uptake. So, how do you set up a process that enables you to protect and respond?
Where do the major risks lie?
In its framework for risk, control and assurance, PWC recommends the first step as establishing the risks and vulnerabilities that are particular to a specific organisation. Looking at known risks also helps in the identification of hidden and hard to predict risks from changing technology, something that is key in the fight against ever more innovative hackers and cyber criminals. Frequent evaluation is key here, as risks and vulnerabilities will change as often as technology does. You could even go so far as to introduce a continuous model of risk analysis, depending on the business and industry.
Establishing response pathways
What is the line of defence that a business has against security breaches resulting from technology change? PWC defines this as:
- people, systems and controls
- the board, risk management and compliance functions
- internal audit
- external assurance
It’s crucial to assess how effective each of these are and exactly how they are able to provide protection against security issues. Establishing the response pathways for each category, looking at how these could be improved and defining a connected response with one element supporting the other will create a stronger, more impenetrable whole.
Given the escalation in the numbers of those exploiting the weaknesses technological change introduces to our companies and systems, it is probably not a matter of ‘if’ a business is affected but ‘when.’ Far from being fatalistic, this approach allows preparation and readiness with set response systems in place. Because the thing about technology is that it’s when we’re taken by surprise that we’re the most vulnerable.