This is a huge and on going topic – fundamentally because of the rapid innovations that are happening in the technology space. The word “information technology” as we understand today (to name a few) encompasses hardware resources, networks, operating systems, virtualization, software engineering, business applications, artificial intelligence (AI), robotics, cloud computing, etc.
New and innovative technologies are coming up at such pace that within the next few years, we would be seeing an enormous transformation of the way things work. Take for example, the “Internet of Things” or “IoT” as it is called – a device, equipment, car or building is connected to or embedded with software, sensors or network connections and the main purpose is to collect and share data across the web for different purposes. The IoT has a whole range of amazing benefits that would make businesses as well as end users smarter, but it also can also bring in major potential drawbacks and disasters.
In 2014, two cyber security researchers demonstrated how they could crack the IoT vulnerability in the brake and transmission system of a Jeep Cherokee and disable the same remotely. The two researchers used a hacker’s technique that gives wireless control to the attacker, via the Internet, that could extend to thousands of vehicles. The software codes used by them could send commands through the Jeep’s entertainment system, to the vehicle dashboard functions, steering, brakes, transmission, etc. – a nightmare indeed when you think of how you or your family’s safety will be vulnerable while driving down a highway.
A high level overview of areas that need attention to risk monitoring in the arena of Information technology adopted by many organizations would cover aspects such as what kind of risk, how is it perpetrated and where does the risk lie.
1. Information (or data) security risk – Why am I putting this on top of the list? Because many organizations tend to think that information theft or data leakage happens due to attacks on the network or infrastructure by external hackers. Therefore traditionally, security models started looking at how to strengthen the network, firewalls, routers, etc. The solutions such as network sniffers, malware protection, anti-virus software, SIEM systems have been prioritized for ensuring security. But, the risk environment is changing and it has been found that data breaches and information leaks have been caused more by insiders through various methods, ingenious ways of perpetrating the defences and constant changes in technique that lasts over a long time. It has become extremely difficult to spot them on time to prevent it because of innovative, persistent and sophisticated efforts by cyber criminals.
External parties –
External entities hacking into corporate systems or websites may have many motives – some may be for information theft, financial crime, a disgruntled employee who has been fired wants to disrupt the business or even a teenager wiz kid testing hacking methods for fun.
The methods may range from phishing mails to embedded macros in excel files or exe files in portable document files (pdf) that triggers a payload, or other “social engineering”. Many a times the employees or insiders email ids are compromised through social networking sites. Hacking techniques can often be done over a period of time by enticing users with quid pro quo (say, for example, offer of freebies or other gifts) and then leading them on to click on some files or links that lets the hacker have full control over the compromised device / desktop / laptop or server.
Deeper reconnaissance of the targets to be hacked (such as what happened with Snapchat CEO’s mail), involves a lot of time and effort that hackers take to study the habits, patterns of emails that the user sends and then the knowledge or information extracted is used for malicious purposes. In the Snapchat episode, a phishing attack tricked an HR employee into handing over payroll information about “some current and former employees”.
It seems Snapchat fell prey to an embarrassingly common type of phishing email, which purports to come from the head of the company itself. In this case, an email supposedly from the chief executive officer, was sent to the HR staffer, who responded with the information requested. It’s easy to see why: who wants to keep the chief executive waiting when they ask for information?
Social engineering techniques can take many forms – such as obtaining the confidence and trust of a person and ultimately gaining access to sensitive information such as email id or passwords, social security numbers, credit card information, etc. or simply overhearing conversations in public places that discloses confidential information about let us say a company’s sales closure status or pricing information and this could fall into the hands of competitors.
Internal employees or others having legitimate access to data
It has been noticed in many studies that insiders contribute to a greater percentage of frauds that result in either asset misappropriation, financial losses or corruption and bribes. Insiders are in an eminent position having access to the most important and crucial information of the company and this could be compromised in many ways such as collusion with 3rd parties such as vendors, related party transactions, bribes from competition, fudging expense reimbursements, padding payroll checks and so on. They are aided by poor internal controls in processes and possibly even poorer oversight by supervisors and management.
The larger the size of the organization, the longer it takes for the fraud to be unearthed and the perpetrator may have even fled the organization.
2. The way business applications are accessed– There is a dramatic shift in the way companies have chosen to do business transactions.
Multiple devices: With the widespread use of laptops, tablets and mobile phones, companies no longer tie employees to their desktops but seek to gain more productivity even when they are on the go or outside the corporate network. Corporate policies encourage bring-your-own-device (BYOD) or work from home, that makes the topic of security extendible to all devices. It also becomes very necessary to understand what critical assets of the organization are at a risk of being compromised and understand whether information is living internally or externally.
Cloud applications: Cloud computing is evolving at a fast pace and companies are looking to increase the cost effectiveness of their IT initiatives, since they no longer need to build complex and costly software on premise and incur huge maintenance of the same. While it gives a variety of choices to the organization concerned, like all other technology changes, cloud computing has its own benefits and disadvantages. There are issues around legal and regulatory risks, privacy issues, confidentiality, integrity and accessibility of information, etc. that needs to be looked into.
On premise applications: Organizations opting for on-premise software have to manage risks involved in the program / software implementation and change management challenges. These are typically to be evaluated on an ongoing basis for risks related to each individual software development project to manage cost versus budgets and time frames. With emerging technologies it may make it very costly to bring in changes in the implementation approach, thus making it even unviable before the software is put into productive use.
3. IT Asset Management risks
CIOs and CTOs are charged with the ever changing IT landscape and the upgrades and enhancements to keep pace with technological changes in the hardware, servers, network requirements, communication systems, avoiding excess stocking of equipment, etc. Software licence compliance must be constantly monitored to avoid potential risks related to licence violations or vendor contractual compliances.
Best business practices demand that organizations have a systematic approach and policies for purchase and maintenance of IT resources.
Identity and Access authorization risks
I have already discussed in detail (in another article “Foundation of internal controls”) the need for ensuring minimal or no-risks in access to applications through effective segregation of duties. It is one of the foundations of proper internal control design and sets the tone for many other controls. Proper user life cycle management encompasses a whole host of controls – starting from providing a unique identity for access across applications, databases, networks, operating systems, etc., handling segregation of duties risks. Technologies available today help organizations struggling with a manual approach through automated processes for user provisioning and de-provisioning while on-boarding and off-boarding them during the hire-to-retire cycle.
5. Non-compliance risks – Data privacy regulations
This century has witnessed a boom in information and data is crunched by what is now known as “Big Data Analytics”. Much of the information consists of personal details of individuals their demographic information, the products they buy or prefer to buy, the locations they have visited and of course the data provided by their use of “smart” devices- these could be ranging from smart phones, smart cards, or other things connected to the internet.
Data privacy requirements and compliance has become mandatory in several countries. The most recent one is the comprehensive and stringent EU General Data Protection Regulation, 2016 (GDPR) law governing the member European Union countries that puts in place several requirements governing data privacy and protection of information. This applies not only to organizations within the European Union (EU) but to any business or organization outside the EU too, that has access to private information of EU citizens.
A variation of this law was earlier adopted in Australia in the form of the Privacy Act and in Canada in the form of Personal Information Protection and Electronic Documents Act, 2000 (PIPEADA). In both these countries this model involves the cooperation of the government and the industry.
On the contrary in the US it is a “liberty protection” and a “right to be let alone” to ensure as little intrusion from the government as possible. Unlike the EU there is no comprehensive principles of collecting and disclosing data in the US. There is limited sector based specific approach that varies between public and private sectors. Broad legislations like the Privacy Act 1974 which is based on FIPPS (collection of data by Government), the Electronic Communications Privacy Act, 1986, the Right to Financial Privacy Act, 1978, along with sector specific regulations like the Gramm-Leach-Billey Act (GLB), the Health Insurance Portability and Accountability Act (HIPAA), the Childrens’ Online Privacy Protection Act (COPPA) exist. In addition, States have their own data protection laws.
In India, drafting a data protection law though started in piecemeal, several legislative attempts were made to secure information privacy in various sectors in India. These include the general data protection rules under the Information Technology Act, 2000 (IT Act), the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and sector specific regulations for telecom, banking and financial services through various Acts and rules.
With a whole host of laws and regulations that businesses need to comply, it is needless to say that non-compliance is a major risk factor to be reckoned with.
6. Data storage, archival, retrieval and disaster recovery plans
Last but not the least, risks have to be assessed and mitigated for proper data storage, periodic archival and retrieval as required by business or tax / government authorities. Disaster recovery plans are a must for ensuring business continuity and they form part of necessary business controls to be enforced by the CIO / CTO.