It is impossible to predict tomorrow’s cyberthreats, which is why IT Risk Management should be more about healthy habits and less about rigid procedures. Companies and their employees are faced with potential threats every single day. So, we have compiled a list of 7 Healthy Habits for IT Risk Management.
In developing these 7 Healthy Habits, we enlisted the help of one of Denmark’s leading IT auditors, Jesper Parsberg Madsen, partner at global consultant PwC with more than 25 years’ experience in the field. Parsberg Madsen was quick to point out that habits and people take precedence over procedures:
Many people believe that IT Risk Management and IT Compliance are rigid and formal. In reality, the companies which perform best in terms of IT Risk Management are the ones that are able to work proactively and dynamically with their threat picture, and always ensure that continual risk assessment is an integral part of their corporate culture.”
Plan Initiatives Based on Your Current Threat Picture
Your threat picture is constantly shifting, but you should still try to define and prioritize the company’s biggest known risks. Base your plan on these and include initiatives and procedures to minimize the identified risks.
Make sure the plan involves the entire organization, to ensure each department assesses its own threat picture. Evaluate the threat picture at least once a year and avoid the temptation to stick to old habits.
Don’t Postpone your Plan
Having a plan is important, but you need to take action if you want to minimize risk. In fact, daily operations and a heavy workload pose the greatest threat to data protection and IT Risk Management. It’s always easier, in a busy workday, to postpone the initiatives in your Risk Management plan. After all, they aren’t business-critical – at least, not in the short term.
One crucial habit, therefore, is to act on your plans. Don’t postpone, just execute.
> Storage and backup made easy: Turn heavy investments and complex IT processes into a flexible and managed pay-as-you-go solution.
And Follow Up!
There’s no use in planning, for instance, two annual backup/restore tests if you never get around to performing them. And those tests are useless if you fail to report identified issues or incidents.
The rule of thumb is: if it’s not documented, it doesn’t exist. If you haven’t recorded any incidents or issues, an IT auditor will see this as a red flag, because it is highly unlikely and indicates that the company fails to follow up.
> Read more about regular restore testing
Ideally, the IT Risk Management process adheres to a “plan, do, check, act” schedule. The fourth good habit is to act on experiences, records or identified incidents.
For example, one action might be to adjust a plan and optimize the process if it doesn’t adequately mitigate the risk, or if a new risk has emerged. The evaluation phase entails a check of the IT Risk Management design and ensures that you don’t become rigidly bound to inappropriate procedures.
> See how we work with ISO 27001 and ISAE 3000
It’s important to shed light on errors and irregularities. If you don’t, you will never have the chance to examine them and figure out whether there might be a pattern. Without a transparent approach to errors, minor irregularities could be overlooked and risks never detected.
It is essential for a company to create a forum for communicating incidents – both minor and major. And it’s perfectly OK if some processes do not run flawlessly.
> See how you can stay complaint and keep your critical data safe, while keeping cost at a minimum
Educate and Upgrade
Employees should possess a fundamental understanding of the principles underlying IT Risk Management. This will enable them to spot and report deviations from the norm. It is therefore a good habit to introduce fixed procedures for awareness training.
As a company, you should also focus systematically on inadequate knowledge resources. This will ensure that you always have business-critical special skills on hand. Read more about Next-level Awareness in IT Risk Management here.
This is an obvious but no less crucial habit. A good grip of basic IT hygiene or “housekeeping” is essential. Remember always to delete access for inactive users and to erase files that should no longer be stored according to GDPR. You will find more examples under “3 Typical Errors”.
“Our most demanding clients have an increased focus on IT Risk Management and compliance. Our flexible and managed pay-as-you-go solutions helps you minimize costs, and reduce complexity in IT processes in your storage and backup environments.”
- Jesper Juul, CCO B4Restore.
Contact Jesper, click here