Articles

Protecting your business online

June 15th, 2015

Last week I was fortunate to hear Steve McCabe from PWC speak on managing technology risks.   Good governance is about managing risk across all areas of the business, but to be fair & judging by the reaction of others in the presentation, technology risk is one that we really need to get a better understanding of.

Sure we all understand about operational risk, competitive markets, business continuity, financial health & the numerous other things that directors of most SMEs know about.   But technology at a risk level – well that was an eye opener for me.

PWC have an excellent article which I have found & it is titled ‘Managing cyber risks in an interconnected world’.   These are some key points I have taken from it.

Questions to consider

So here are some questions to consider to see what your data security is like:

  • What is your information security budget – how much $ have you allocated?
  • What is your mobile security strategy?
  • What security policies do you have in place?
  • What privacy policies do you have?
  • The list goes on – & as he was asking the questions I don’t think too many in the room could answer yes to a whole lot of them

Remembering too that breaches can come from different areas both from outside & inside the organisation.   Outsiders may include hackers, competitors, activists, information brokers, organised crime,  while insiders may include employees, contractors, consultants, suppliers, customers & again the list goes on.   Now I’m sure that a small SME in Hawkes Bay New Zealand isn’t going to be top of a hackers wish list, but at the end of the day all sorts of data is stored in most local businesses (customer details, payroll information, personal information, credit card information, supplier information) & from a governance perspective there is a duty to keep that information safe

Steve talked about managing cyber risks in 4 areas:

  1. Prevent
  2. Protect
  3. Detect
  4. Respond

Let’s look at those 4 in a bit more detail:

Prevent

  • Have privilege user access
  • Have a security awareness training programme
  • Require third parties to comply with your privacy policies
  • Conduct personnel background checks

Protect

  • Have intrusion prevention tools in place
  • Have data loss prevention tools
  • Have a process to patch breaches
  • Have software that protects/detects threats

Detect

  • Have intrusion detection tools in place
  • Have malicious code detection tools in place
  • Have unauthorised use monitoring tools
  • Have scanning technology in place

Respond

  • Business continuity / disaster recovery plans
  • Incident response processes

Now if you’re like me, some of those points made sense – others made me scratch my head & wonder where to start.   But that’s the thing about governance isn’t it – it is a case of identifying the risk, finding out the information you need, surrounding yourself with experts such as PWC & then putting practices in place to minimise that risk.

Steve made two other points that stuck with me (i) It is not an IT department/provider problem – you can’t just abdicate responsibility – it needs to be driven from the top (ii) It is not a matter of ‘if’ you’ll be breached – but a matter of ‘when’

Where to from here?

If you’ve made it to the end of the article well done.   You probably feel like I did at the end of the presentation – more confused than when I started.   But I guess that’s a start – the next challenge is how to apply that across the business you may be involved in.   What practical steps need to be developed, what advice & support do you need & where to from here?

Many thanks to Steve McCabe from PWC for his thoughts & insights