CHAPTER 3: THE RISKS – Managing Information Risk: A Director's Guide

CHAPTER 3:
THE RISKS

Before deciding how to deal with the risks associated with your business’s computer and information systems, it is important to consider the breadth of those risks. It is not simply a case of ensuring a virtual perimeter as many of the risks are born from cultural issues or involve factors beyond your control. The National Archives guidance Managing Information Risk documents many of the risks that directors need to consider in assessing the impact a system failure or breach could have on their organisation. The following chamber of horrors is but a sample of the potential pitfalls.

Accidental disclosure

These are the types of security risk that the UK government has become so associated with. Laptops left in taxis, unencrypted personal information sent through the post and printed documents carried in clear plastic wallets are all recent examples of information lost or disclosed accidentally. Other options for this kind of embarrassing and potentially costly error include mobile phone or PDA loss, poor disposal of computers at ‘end of life’ and erroneously sent e-mails.

The damage caused by these embarrassments depends on the type of data accidentally disclosed. An employee accidentally clicking ‘reply to all’ on an e-mail discussing your company’s tactics on a complex negotiation could severely weaken your bargaining position and cost millions.

Theft of hardware or data

Theft of information equipment can be more damaging than loss because it means someone was actively targeting your assets. The risk involves not only data loss, but also unavailability of equipment that might be needed for business critical activities.

Acts of nature

From snow blocking the lines and preventing IT staff getting into work, to severe weather that interrupts power supplies, natural conditions can mean staff have no access to computing assets and possibly phone and e-mails. In the wake of natural disasters, power supplies may be down for days, severely hampering your business capability.

Alteration of software

Software alteration covers a wide range of risks, both malicious and accidental. According to the SANS Institute, the risks posed stem from any ‘intentional modification, insertion, deletion of operating system or application system programs, whether by an authorised user or not, which compromises the confidentiality, availability, or integrity of data, programs, system, or resources controlled by the system. This includes malicious code, such as logic bombs, Trojan horses, trapdoors, and viruses’. Good application of security standards can help, but suitable audits and assessment are necessary first.

Redundant media

The cost of storing data means many organisations stockpile information in old media formats. If these are not updated regularly, they may become obsolete if hardware for reading the information becomes superseded. In 2007, the Japanese government was unable to access 50 million pension records due to poor archiving – at huge expense to taxpayers and government image.

System configuration error

Poorly configured systems – whether during initial installation or later upgrades – are invariably at risk and could expose your organisation to data loss and hacking attacks.

Suppliers and partners

As business becomes digitally integrated, data that is pertinent or even critical to your organisation may be stored or duplicated elsewhere. Credit card companies will hold your customer data, back-up servers may be hosted elsewhere by a third party. Are you sure that everyone you share data with has set their standards as high as you would like? What are the service level agreements with communications suppliers, and what would be the consequences of a failure of your ISP for an hour, a day or a week? See dealing with suppliers and partners in Chapter 4.

Critical information is wrongly destroyed

Research suggests that staff are often unclear on what information needs to be retained, and for how long. Keeping useless information is an unnecessary risk, while deleting valued files can cause chaos.

Poor data input

Staff (and third parties) make mistakes, and faulty data input can have costly implications, such as lost orders, or poor decisions made based on inaccurate data in the system. Double checking input and cross-referencing can minimise the risks.

Critical information is lost

A hard drive or server crashing is eventually inevitable – so risk mitigation strategies are imperative to keeping the business running. Hardware failure always happens at the most inconvenient time, so what are your roll over safeguards?

Wasted assets

If risk tolerance is too tight, perfectly good data that could provide a competitive advantage could be wasted by not being made available to staff who could use it to make money. According to the UK Government’s Data Handling Report and its mandatory minimum requirements ‘Addressing information risk involves ensuring that information is used, as well as protecting it when it is used. Information asset owners must consider on an annual basis how better use could be made of their information assets within the law’.

Failure to make information available

Failure to make information available or insufficient resources for the task is just as much a risk as hacking. If pricing information is unavailable, sales could be lost. What are the peak demand times for key system components and have the related systems been properly load tested? Are you critically dependent upon just a few people to manage your key systems and what happens if they are ill?