Any organisation which uses technology in its operations to store, manipulate, transfer or create data or information, is at technological and data risk. This applies to practically every company operating today, regardless of their levels of technological use. Technology risk is a firm’s exposure to potential loss resulting from the failure of its information technology (IT) systems. Data risk relates primarily to the organisation’s exposure to loss through its limitations in acquiring and using its data, including the storage, movement, transformation or other forms of data manipulation. From the largest MNCs to sole proprietors, cottage industries and independent producers – all use technology in some form or other. Technology risk therefore concerns everyone because it ultimately affects all stakeholders.
Unfortunately, technology risks expand in parallel with technological use, particularly because technology is being utilised to create more technology, such as cloud computing and remote data storage; the risks therefore grow in tandem. As technology grows more sophisticated, so too does the possibility of destroying or corrupting data, which can have far-reaching consequences for companies, although it may not be immediately obvious. Its eventual manifestation may result in the loss of revenue or reputation, or both. It is pragmatic, therefore, for organisations to “bite the bullet,” accept that they are at risk, and move concertedly to put mitigative measures in place.
Data is an extremely valuable asset and has to be protected. It includes staff and customer information which may be confidential and proprietary, the loss of which could damage the organisation. Data breaches can happen anywhere, at any time; mitigation may be effected by instituting policies, practices and procedures organisation-wide to cover as much of the firm’s network, systems and devices (including storage) as possible. The SOPs may be as simple as logging out completely at the end of the day, or never divulging passwords to anyone, but having these in place may make it a little more difficult for hackers to breach the system.
Subject matter experts concur that where there is more difficulty than expected, hackers are likely to leave and move on to another, more vulnerable or open target. Companies need to consider a comprehensive data risk management framework that covers as many aspects of technology use as possible. Cyber risk, which is the possibility of any type of technology (or technological failure) disrupting the business, should also be a major focus. The framework for managing technology and data risk should include an appropriate assessment template for cybersecurity and data risk, so that the related risks can be identified.
One of the biggest technological threats today concerns systems breaches that result in stolen, corrupted or destroyed data which have serious, sometimes dangerous, repercussions. Technology and cybersecurity experts recommend that companies conduct a technology risk assessment to identify and prioritise the technology and data risks confronting the organisation, as a first step towards managing them. Firms should bear in mind that this is not a one-off process. Technology is dynamic; so are its risks. To be effective, identifying, assessing and mitigating risks associated with technology or IT and data, need to be ongoing activities..
Thus, it cannot be the job of just one person. A team is needed, with the prerequisite skills for identifying and assessing the risks, and developing plans to address them. The appropriate application of the correct tools will help teams categorise and prioritise risks, particularly according to levels of impact and probability of occurring. Careful documentation of these activities is important so that the firm will be able to react quickly when untoward events occur. Better still, careful documentation and analysis could help the firm anticipate these events before they happen. With technology and data risk, timing is critical.
The team should implement mitigative measures as quickly as possible because of the velocity with which such incidents can occur. Clear, concise, comprehensive documentation will also allow the firm to be proactive, instead of reactive in their response. For instance, because of many people turning to working from home, there was an increased need for cybersecurity amid the global pandemic. Robust documentation of how the organisation responded, will be invaluable should another similar event occur. But organisations should avoid lumping technology, IT, data and cyber risk into one category without clearly understanding the individual elements.
While all of these involve technology and are connected, they may affect different organisations in different ways, depending on how they are used. Technology risk, for instance, may involve software or hardware failure caused by faulty programming or equipment, while data risk may involve system breaches caused by hacking which corrupts data. One of the risks associated with IT is data that needs verification before it can be applied to decision-making. Cyber risk applies primarily to loss events such as ransomware, malware or phishing incidents. Regardless of how they are defined, these risks all have great disruptive potential.
Yet, businesses are relying increasingly on technology and producing more data and information today than ever before. Analysts assert that cyber breaches are inevitable, and may lie undetected for months. But with the increasing reliance on technology, what can organisations do to protect themselves and manage technology and data-related risk? Training staff to recognise the need for cybersecurity and data integrity is a good place to start. Having a firm policy on data and security, and enforcing it, is another. Everyone should understand how data is generated and shared; how it is stored, accessed and monitored; and the consequences of data breaches.
Applying a holistic technology and data risk management strategy may be an organisation’s best bet where mitigating related risks is concerned. A macro view of the role that technology and data plays in the company, and the integration of checks and balances at all levels of the firm, may help minimise exposure to risk, and avoid the consequences of a cyberattack and the ensuing damage, or the loss of reputation that could lead to a decline in the value of the firm.