How to protect against technology risk?
PTS Consulting's Kuldip Sandhu discusses : How should an organisation successfully manage risk in an environment that is complex and constantly evolving, and where the consequences can be catastrophic?
NatWest, a subsidiary of RBS, developed a fault on its IT system that reconciles customer transactions overnight. The fault forced a blackout for millions of its customers, preventing them from checking, withdrawing and paying bills with their allowed credit. The issue was blamed on an update made to the Key CA-7 software and also on the risks faced when outsourcing IT employment internationally. Subsequently the blackout lasted for three working days. By the time normal service had resumed, 17% of RBS’ share price had been wiped, and both RBS and NatWest suffered significant reputational damage.
Santander was almost undone by an incident of cybercrime. A bogus engineer attempted to install an IT device known as a KVM (Keyboard Video and Mouse) to one of its branches in the UK to act as a gateway through which hackers could channel funds. Fortunately, a tip-off from the Metropolitan Police averted the crime and the criminals were caught. Barclays was not quite so lucky; another bogus IT engineer was able to fit a KVM device, allowing considerable amounts to be transferred, though a significant amount was eventually recovered by the Metropolitan police. Both incidents took place in the space of one week and could have presented both banks with much higher losses. It certainly identified a security risk in the most obvious way possible; the lack of IT infrastructure to detect and stop unauthorised monetary transactions revealed the banks to be remarkably exposed.
Santander and Barclays aren’t alone in having to deal with the risk of security breaches; with more and more cloud services being offered, security risk will soon be near the top of the agenda of all organisations. A report carried out by informationisbeautiful.net identifies many household names that have been affected:
A group of American based businesses had 160 million credit and debit card details stolen that affected 800 thousand bank accounts, which saw the loss of $300 million
A former AOL engineer stole 92 million screen names and e-mail addresses and sold it to spammers who in turn sent out 7 billion unsolicited emails
76 million records of US Military veterans were exposed when undeleted, unencrypted and faulty disks were sent for repair
Sony PSN lost 76 million Sony PSN and Qriocity records due to hacking; it was their third security breach within a year
Hackers stole 94 million financial related customer records from TJ/TK Maxx stores through a Wi-Fi network within a US store
In an environment where losing even a few important records is unacceptable, the fact that all of the entries in the above report, including the likes of Apple, Yahoo, Honda, AT&T and HP, experienced losses of 30 thousand records or more is extraordinary.
Whether malicious or otherwise, organisations are failing to understand, identify and manage their exposure to risk in a technology-reliant environment, with significant financial and reputational ramifications. When the stakes are so high, how is this being caused, and what guidance can be given to help organisations?
Organisational Challenges of the 21 Century
How can organisations get a better understanding of the challenges they face with regards to risk?
Risk as a standalone term relates to loss that can be attributed to being exposed to a pre-calculated or unknown event or series of events. The level of loss is fully dependent on how well prepared one is for such incidents as they occur.
An organisation’s exposure to technology risk is complex, constantly evolving and ever increasing. In the 21st Century organisations are faced with decisions across the board on how to mitigate these risks:
Compliance & Legal
Reputational and Brand-related
Research and Development
Complexity of IT Infrastructure Hierarchy
Risks come in many forms and affect different layers of an organisation; its mitigation, therefore, represents a monumental task. The size of the problem depends upon the size of the organisation in question so it is important to understand accordingly the risks that you are most likely to face, how these can affect you and what to do if or when these risks materialise. Risks can either be classed as internal or external; more and more businesses increase exposure on both counts by moving business processes into the IT domain. This can be anything from the constant evolution of computer technology, to lack of internal governance and ‘silo’ working practices.
The diagram below depicts an example of the impact of certain risks materialising on the technology landscape in a typical Banking environment:
Three Layers of Defence
Organisations now recognise that detecting and managing risks is an essential part of day-to-day operations. Progressively more businesses are employing staff whose sole duties are to detect risk and report them to ensure that Governance, Risk and Compliance requirements are satisfied. It is crucial, however, that thought goes into not only the number of staff dedicated to risk management, but also into the structure that should be put in place to make the whole organisation work effectively to mitigate risk.
An organisation has to defend in depth across structural layers. Commercial organisations need to implement layered defences such as the one below to protect themselves against risks.
Layer 1 is the business frontline that tackles risk head on; this could be staff working on the tills at the local supermarket, manning the booths in the bank branch, or Firewalls standing as gatekeepers to the IT network. In all cases they have to be vigilant and follow the organisation’s operational policies and procedure to detect, monitor and stop any unwanted activities (fraudsters, hackers, etc.).
Layer 2 acts as an oversight function to ensure that Layer 1 complies and can manage risk effectively and efficiently. Activities include carrying out regular audits to ensure operational policies and procedures are being met and, if not, establishing what course of action to take to ensure compliance. This may mean identifying training for staff to understanding the viability of a particular process of execution.
Layer 3 represents the final supervisor function, consisting of a line of internal and external auditors and organisational directors. Their duties are to assess the success of detecting, monitoring and executing policies and procedures and to ensure that the first two layers are adequately designed to function as required and demonstrate to the rest of the business that risks are being mitigated.
The objectives of a three layer defence are for all components to operate efficiently, both independently and in unison; each layer must complement the others.
It is easy to view the problem and solution to risk management through a process and technology lens. What we find is that the heart of the problem lies more within the working culture of the organisation. For example, prior to the 2008 recession – particularly the banking sector – a preoccupation with profit and margin prevailed. It led in some cases to a culture of greed and extreme competition amongst staff and competitors, forcing many organisations into unsustainable financial positions; as a result many went into administration or downsized considerably, whilst others were acquired.
Problems with workplace culture have the potential to undermine efforts to manage risk in the following ways:
A breakdown in intra- and inter-layer communication
Individual layers placing undue stress upon its interfacing layers
Development of staff skills within each layer being hampered
Misunderstanding and miscommunication of layered policies, procedures and practices
General disjointed or ‘silo’ mentality
Lack of IT budgeting to build a holistic common IT platform to serve the layered defence
Another key issue is that of accountability. Phrases such as “this is beyond my job responsibility” or “it’s for my manager to resolve this problem” can be widespread in organisations of all types.
Whilst a single point of accountability is simple to enforce, a multi-layered one is far more difficult, requiring more policies and procedures to enforce, which can be a significant challenge. Generally speaking, organisations suffer in the following ways:
Values around accountability aren’t promoted tostaffor there are no values in place at all
Organisational tasks, and to whom they are assigned, are not clearly defined
Many staff lack the confidence to assert themselves and assume responsibility due to a lack of support from peers and mentors
Managerial staff lacks time to promote accountability, such as reading through documentation before providing sign-off for organisational initiatives or raising issues in employee appraisals
Employees lack an understanding of their duties due to neglect or insufficient training
Without the correct environment in place to support all employees, accountability will always take a backseat, and this directly impacts an organisation’s ability to deal with risks when they arise.
The regulatory landscape constantly evolves and means that organisations must be especially vigilant to understand the risks to which they are exposed. The financial sector in particular is subject to constant additional regulation; examples in recent history concern Anti-Money Laundering and Data Protection, alongside MiFiD and the Sarbanes-Oxley acts. More recently we have seen the introduction of FATCA and BASEL III, focusing on the global footprint of financial sector clients.
Every time there is change in national or global regulations, a financial institution has to adopt them at all levels within their organisation. The compliance department has to understand the requirements of the regulations and then understand if the current organisational setup is sufficient for the organisation to comply with the regulation and, if not, understand what needs to change.
Adhering to regulation will usually require inward investment with the intention not being to see a return, but rather to ensure that the change streamlines your organisation and allows it to produce healthy profits in comparison to excessively risky ones.
Prepare for Change
Change is imminent, inevitable and required. Some changes will provide opportunities, others will only seek to test the resilience of organisations; some will do both. Whatever the nature of the change in a risk management context, it can only be achieved with a healthy working culture and a readiness to embrace that change.