Managing & Reducing IT Risk
What is Information Technology risk?
If your business relies on information technology (IT) systems such as computers and networks for key business activities you need to be aware of the range and nature of risks to those systems.
Probability * Consequence = Risk
Looking at the nature of risks, it is possible to differentiate between :
*Physical threats -
resulting from physical access or damage to IT resources such as the servers. These could include theft, damage from fire or flood, or unauthorized access to confidential data by an employee or outsider .
*Electronic threats -
aiming to compromise your business information - eg a hacker could get access to your website, your IT system could become infected by a computer virus, or you could fall victim to a fraudulent email or website. These are commonly of a criminal nature .
*Technical failures -
such as software bugs, a computer crash or the complete failure of a computer component. A technical failure can be catastrophic if, for example, you cannot retrieve data on a failed hard drive and no backup copy is available .
*Infrastructure failures -
such as the loss of your internet connection can interrupt your business - eg you could miss an important purchase order .
*Human error - is a major threat - eg someone might accidentally delete important data, or fail to follow security procedures properly.
_________________________________________________________________________
Another classification on Types of IT risks
1- Viruses: type of malicious code or program written to alter the way a computer operates and is designed to spread from one computer to another.
2- Malware : is any software intentionally designed to cause damage to a computer, server, client, or computer network
3- Hardware failure: a malfunction within the electronic circuits or electromechanical components (disks, tapes) of a computer system.
4- Software failure: a failure that occurs when the user perceives that the software has ceased to deliver the expected result with respect to the specification input values.
5- hackers : people who illegally break into computer systems
6- Natural disasters: such as fire, cyclone and floods also present risks to IT systems, data and infrastructure. Damage to buildings and computer hardware can result in loss or corruption of customer records/transactions.
7- fraud : using a computer to alter data for illegal benefit
8- Security breaches: any incident that results in unauthorized access to computer data, applications, networks or devices. It results in information being accessed without authorization. Typically, it occurs when an intruder is able to bypass security mechanisms. includes physical break-ins as well as online intrusion
Intentional مقصود & Unintentional غير متعمد Risk
-----------------------------------------------------------------------------------------------------------------------------------------------
Strategic Risk
Risk that affects the achievement of the org. main Strategic and long term objective >>>
- Reputation. السمعة
- Customer relation, The quality, Org. culture. Competition
Operational Risk
- Network Risk, Intruders risk, Hackers, Virus Attacks, accidental delete, Hard disk, علق البرنامجو
General IT Threats
General threats to IT systems and data include:
- hardware and software failure - such as power loss or data corruption
- malware - malicious software designed to disrupt computer operation.
- viruses - computer code that can copy itself and spread from one computer to another, often disrupting computer operations
- spam, scams and phishing - unsolicited email that seeks to fool people into revealing personal details or buying fraudulent goods
- human error - incorrect data processing, careless data disposal, or accidental opening of infected email attachments.
Read more about email scams, viruses, hackers, and other IT threats.
Criminal IT Threats
Specific or targeted criminal threats to IT systems and data include:
- hackers - people who illegally break into computer systems
- fraud - using a computer to alter data for illegal benefit
- passwords theft - often a target for malicious hackers
- denial-of-service - online attacks that prevent website access for authorised users
- security breaches - includes physical break-ins as well as online intrusion
- staff dishonesty - theft of data or sensitive information, such as customer details.
Read more about online crimes against business.
Learn more about protecting your website from hackers.
Natural Disasters and IT Systems
Natural disasters such as fire, cyclone and floods also present risks to IT systems, data and infrastructure. Damage to buildings and computer hardware can result in loss or corruption of customer records/transactions.
Read more about preparing for and recovering from natural disasters and business continuity planning.
Also consider...
- Learn about resources to improve the cybersecurity of your business.
- Find out more about protecting IT data and systems.
- Read our cyclone and storm surge preparation checklist.
- Read our bushfire preparation checklist.
- Find out how to create a digital strategy for your business.
- Learn more about electrical safety in the workplace.
Managing information technology risks
Managing information technology (IT) risks is a structured process that involves a series of activities designed to:
- identify risks
- assess risks
- mitigate risks
- develop response plans
- review risk management procedures.
A comprehensive approach to risk management used by Australian emergency management agencies is based on the prevention, preparedness, response and recovery (PPRR) model.
Legal Requirements
As a first step in managing IT risks, you should be aware of the legal and legislative requirements for business owners, such as:
the Spam Act 2003 (Cwlth), the Electronic Transactions (Qld) Act 2001 and privacy laws.
Read more about legal obligations for online business.
IT Risk Assessment
An effective IT risk assessment identifies serious risks, based on the probability that the risk will occur, and the costs of business impacts and recovery.
To complete your IT risk assessment identify risks to your business and perform a business impact analysis.
Business Continuity Planning ضمان استمرارية العمل في المؤسسة
Having identified risks and likely business impacts, the development of a business continuity plan can help your business survive and recover from an IT crisis. A business continuity plan identifies critical business activities, risks, response plans and recovery procedures.
Read more about business continuity planning, and download our business continuity plan template.
IT Risk management policies and procedures
IT policies and procedures explain to staff, contractors and customers the importance of managing IT risks and may form part of your risk management and business continuity plans.
Security policies and procedures can assist your staff training on issues such as:
- safe email use
- setting out processes for common tasks
- managing changes to IT systems
- responses to IT incidents.
A code of conduct can provide staff and customers with clear direction and define acceptable behaviours in relation to key IT issues, such as protection of privacy and ethical conduct.
Learn more about staff training.
Also consider...
- Learn about resources to improve the cybersecurity of your business.
- Read the Electronic Transactions (Qld) Act 2001.
- Learn about protecting IT data and systems.
- Learn more about staff codes of conduct which can affect your online presence.
- Find out how to create a digital strategy for your business.
- Read about cloud computing and broadband for your business.
Reducing information technology risks
Threats and risks to information technology (IT) systems and data are an everyday reality for most modern businesses. You should put in place measures to protect your systems and data against theft and hackers.
Practical steps to improve IT security
To help protect your IT systems and data you should:
- secure computers, servers and wireless networks
- use anti-virus and anti-spyware protection, and firewalls
- regularly update software to the latest versions
- use data backups that include off-site or remote storage
- secure your passwords
- train staff in IT policies and procedures
- understand legal obligations for online business.
Read more about protecting IT data and systems.
Create a secure online presence
If your business has an online presence, you should assess the security of your website, email accounts, online banking accounts and social media profiles.
For example, secure socket layer (SSL) technology is used to encrypt transaction data and to send customer and card details to the acquiring bank for authorisation. You should ensure any web hosting solution you consider is capable of supporting the SSL protocol.
Induction and IT training for staff
Training new and existing staff in your IT policies, procedures and codes of conduct is an important component of IT risk management strategies. Training can cover key business processes and policies, such as:
- safe handling of infected email
- protecting the privacy of customer details
- priority actions in the event of an online security breach.
As an employer you have legal obligations when training staff. Providing support and training for new employees is a critical aspect of staff training. Read more about staff inductions and staff training.
Business insurance
It is impossible for a business to prevent or avoid all IT risks and threats. This makes business insurance an essential part of IT risk management and recovery planning. You should regularly review and update your insurance, especially in light of new or emerging IT risks, such as the increasing use of personal mobile devices for workplace activities.
Learn more about choosing the right business insurance.
Also consider...
- Find more resources to improve the cybersecurity of your business.
- Read the guide to information security for steps and strategies to protect online privacy.
- Learn about legal obligations for online business.
- Find out more about good business processes, procedures and standards.
