In a series of three articles, Nick Denning, CEO, Diegesis, looks at the risks faced by organisations operating complex enterprise IT systems. The first article saw Nick outline how to analyse and categorise risk. In this second one, Nick outlines the practical steps to identify and mitigate the risks organisations face in modernising mission-critical applications. All without throwing away years of IT investment or exposing themselves to security and data protection problems.
Where to start?
Review your critical IT systems. The first question to ask is, “do we have the skills to perform such a review?” The organisational challenge is to ensure that the reviewers are supported to perform reviews with integrity and candour. A culture of “shoot the messenger” is unlikely to produce useful results.
Another option is to use external consultants to perform some of the work, with a hybrid approach perhaps preferable. In most cases, it is possible to discover 80% of what is needed for 20% of the proposed budget. Bring in external experts if necessary. Categorise issues as ‘Must’, ‘Should’ and ‘Could’, then focus on the most critical first.
Help is at hand
Some well-respected frameworks provide the structure for IT reviews. Probably the best place to start is assessing the level of IT security risk in your organisation using Cyber Essentials from the National Cyber Security Centre (NCSC). Its website provides a downloadable spreadsheet of the questions you need to consider in system reviews. Five broad system security controls are covered:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Patch management
The NCSC site also offers advice on how to address data protection issues. Non-compliance with data protection rules (GDPR) can be a major risk to an organisation. It needs to be treated seriously as large penalties could result if data breaches occur. Many consultancies can assist with the risk management around two of the most common topics of concern for organisations – HR and Health and Safety.
Ask searching questions
An organisation should ask itself deep questions – what could go wrong, and if it did, how would we deal with it? Perhaps the most important areas to question are:
- What does each business area consider to be the greatest threats to business? Where are these documented? What are we doing to manage them?
- Is what we do written down clearly enough that anyone could read our documentation and restart our business?
- When was the last system backup taken? When was the last test that we could recover from a backup? How long would it take for us to be back in business after a failure?
It is also important that evidence is provided and recorded to back up the answers, rather than responses being taken on trust. Open-ended questions that cannot be satisfactorily evidenced will differentiate between not competent, ambition to do well in the future, and being effective today. This will guide us on where to focus.
It is important to apply this rigorous questioning to establish our shortcomings. It can also motivate employees to strive to meet professional standards and operate legally, especially in areas such as:
- GDPR
- Maintaining reputation
- Ensuring infrastructure integrity and recovery capabilities
- Ensuring appropriate staff to operate our business
Do yesterday’s plans still apply?
Over the last decade, many large and medium organisations have created comprehensive plans that sit on the shelf waiting to be actioned. In IT, there is a constant evolution. Cumulative changes and unexpected combinations of solutions can drastically affect assumptions and plans.
Business continuity and disaster recovery illustrate the need for change. 15 years ago, a £multi-million alternative data centre together with provision for temporary office space might be essential for BC/DR. Now Office 365 and AWS, plus the lessons from successful pandemic home working facilitated by Teams and Zoom, provide the potential to rewrite these plans and drive down costs.
Today’s critical cybersecurity risks
Too often, the response to cybersecurity risk is a head in the sand, “That won’t happen to us” attitude. The sophistication of attackers continues to evolve. Where they find a successful target, they regularly repeat the attack.
These are the top three cyber-security risk areas currently impacting organisations:
- Ransomware – is malware that encrypts and locks an organisation’s data which is then lost until payment for the decryption key is made. Regular backups can mitigate against ransomware as systems can be rolled back.
- Mandate fraud – where employees are misled into paying money to criminals. For example, the finance team is tricked into changing a supplier’s bank details to those of the fraudsters.
- Theft of commercial data – taken by employees intending to leave the company.
Utilise the IASME framework for Cyber Essentials or the more rigorous ISAME governance. Do the simple things immediately and then develop your defences over time. The most vital starting point is staff awareness and training.
Benefit from the cloud
Using cloud-based systems can significantly improve protection. Cloud vendors such as AWS, Google and Microsoft have invested in strong security that few organisations can replicate. Vendors deploying into these infrastructures are obliged to adopt these security features. It is secure than vendors hosting their own platforms.
It also offers higher availability because of the reduced risk of network outages. They also offer sophisticated business continuity/disaster recovery capabilities.
An organisation’s security is likely to be enhanced where they can change from legacy solutions and adopt these secure cloud solutions, for example, in the areas of:
- Hosted email
- Online banking and payments
- Accounting systems
Understand the cost of action and inaction
The reason for inaction to implement risk management is often because the costs are hidden. There are many examples of organisations running systems on old versions of unpatched operating systems that were highly vulnerable and thus wide open to attack.
The analysis associated with risk management should help identify these old systems. It will also enable alternative defence strategies to be put in place. It can help understand where risks and costs sit to reduce both with benefits directly to the bottom line.
Risk management can identify insecure systems that represent a huge risk to a business that has not been historically reported to the board as it should have. It provides justification that obliges the spending of money to bring back a degree of protection. The great benefit will be if the security threat energises the adoption of effective risk management to contain security costs. It puts in place a risk management discipline that will generate benefits to the bottom line.
In conclusion
Enterprises have spent years developing their data-intensive enterprise applications. The ability to preserve software investments is critical while meeting evolving business needs. However, emerging threats have not always been addressed. In this second article in the series, we’ve looked at questions and frameworks which will help identify key risks to help build effective strategies. The final article will offer a template to help plan for change.
Diegesis is a business technology and IT systems integration company that specialises in delivering outcomes using RDBMS, integration and data analytics technology. The company has a proven track record delivering successful projects that provide tangible business value to large and mid-size organisations through the effective combination of people, process and technology. Diegesis specialises in helping organisations to release the hidden knowledge and wisdom from within their entire range of diverse sources of information (documents, emails, core business systems and applications, databases, intranet, internet and presentations) to support swift and effective decision-making. For more information, visit www.diegesis.co.uk
