Managing digital risk -TEISS® : Cracking Cyber Security
10 September 2018
TEISS head of strategy Jeremy Swinfen Green, considers the nature of digital risk and how it differs from cyber risk.
What is digital risk? It’s the risk to organisations that their use of digital technology carries with it some dangers. In that, it is similar to cyber risk. However, digital risk is far wider than cyber risk and includes many risks that are not directly related to information and data.
For instance a mistake in an algorithm cost share trading company Knight Capital $440 million in just 45 minutes. That has to hurt!
The danger though is that businesses focus on cyber risk. Cyber risk is a much more popular term than digital risk, as can be seen by the graph below, taken from Google Trends.
However, businesses that focus purely on cyber risks when they address the risks that digital technology bring to their organisation will be leaving themselves exposed to a range of other risks, some of which are strategic and possibly even existential. Let’s have a look at a range of digital risks.
Cyber risk principally refers to the risk that information or data stored on computers is accessed and used without authorisation, is altered without authorisation, or is made inaccessible to authorised people (the familiar “Confidentiality-Integrity-Accessibility” trio).
But the risks also extend to hardware. Computers and IT infrastructure can be damaged by unauthorised access. And with digital information so crucial to almost every organisation disruption to IT infrastructure is a strategic threat. How would your organisation operate without an internet connection? Or without computers?
Many years ago, the advertising agency I was working at suffered a break-in. The desktop computers were targeted. But this wasn’t ordinary theft. The memory chip in each PC was removed (memory was in very short supply at the time due to a factory fire in Korea) and even then, in the early 1990s, this caused massive problems for the agency who were rendered effectively inoperative for several days.
There is also a threat to machines, often dumb machines, that are connected to computers, for instance factory machines. We haven’t seen too many IoT attacks yet, where internet connected machines have been targeted. But there have been some. Power stations, oil pipelines and streel mills have all been targeted in this way.
People risk refers to the risk that people pose when they use digital technology. People are the most important part of almost any organisation. Even Elon Musk realises that after his ill-fated attempt to over-automate production at Tesla.
Unfortunately, digital technology can have damaging effects on people. One example involves the way that digital technology enables flexible working practices such as hot desking and working from home. These save money but at a cost. Hot desks are often disliked by uses who prefer their own space and this can impact productivity. And home working can result in isolation and consequent demotivation.
Communication can also suffer because of digital technology. It is often less trouble to send an email (which can easily get misinterpreted) than talk to a colleague and ensure they understand an issue. Communication via a computer screen can be dehumanised – which explains why perfectly normal and pleasant people can turn into ranters, bullies or “trolls” when online.
For some people, and not just older workers, technology is threatening. They refusal to engage with it and if it is forced on them they become demotivated.
Other people take inappropriate advantage of technology. Perhaps they hoard emails, photographs and other files. It may make them feel secure, but this behaviour can cause problems including security and IT resource issues. Perhaps they use technology to “help” by creating unauthorised (and “off-brand” or insecure) websites or social media accounts for their employer. Perhaps they simply fail to understand the effect they personally can have on the reputation of their organisation when they use social media to talk about their employer or their industry.
And sometimes the digital technology is simply unusable and gets in the way of people doing a proper job. If systems make people key in the same data repeatedly, or if they lose data unexpectedly, or if they are hard to navigate, then all the savings promised by streamlined digital systems will be frittered away in productivity losses.
Digital project management risk
Many organisations are attempting to deliver some kind of “digital transformation”. Whether or not “transformation” is likely to be the end result, these attempts by definition involve digital projects or programmes of projects.
Digital projects are risky things to manage for all sorts of reasons including their speed, the fact that they often use outsourced services, and the rapidly changing nature of technology. These projects often have substantial amounts of resource invested in them. And they frequently fail. Why is that?
Digital projects fail in part because the risks they contain are insufficiently identified. That may because of inexperience in the project management team – after all the word “transformation” does imply that a similar project won’t have been tried before. Or it may be because the people managing the project management don’t understand the issues and risks faced by the project – and make inappropriate decisions around resources and objectives.
Other reasons for failure include: setting objectives that are focussed on the technology rather than the end user; failing to test properly, often a result of time constraints; failing to manage the “meta risk” that resides in a programme of digital projects where one could conceivably cancel out the benefits of another; the risk that a new digital system will fail to interact effectively with existing, non-digital systems (such as logistics or HR); or simply a lack of understanding and enthusiasm in the wider organisation.
Digital technology comes with “opportunity risk”. This is risk that can either involve money and resources that could better be spent on other opportunities being instead spent on digital technology. Or it can be that an opportunity to benefit from technology is lost.
Why do these things happen? Inappropriate investment can result from poor decision making. This might involve a technology lover persuading managers who are not sufficiently clear about technology that a particular investment is likely to be effective. Or an investment in technology (or technology services such as insurance) might be made without the realisation that the value derived from the investment will be less than the cost incurred.
Another cause of opportunity risk is seen when there is a lack of support for good investments due to poor governance caused by a lack of knowledge at a senior level. As a result the investment doesn’t deliver value and the opportunity is lost.
Digital risk doesn’t stop with these risk types though. There are many others that managers should be prepared to manage, including:
- Reputation risks: Risks from third parties include the creation of websites and social media accounts that purport to be owned by an organisation. This is a common tactic by political “hacktivists” such as Greenpeace, but it is also used by counterfeiters who want to sell fake goods.
- Fraud and theft risks: “Business email compromise” and email spoofing are common techniques used by fraudsters to persuade unwary business to pay fake invoices, or in some cases to send payment for genuine invoices to criminally owned bank accounts.
- Compliance risks: Businesses need to be aware of how the law impacts on their digital processes. Websites need to be reasonably accessible to the disabled if they offer services. Data collection and manipulation needs to be done in such a way that it complies with laws such as the Data Protection Act 2018. Advertising on social media needs to keep on the right side of the ASA and consumer rights laws. Business PR and social media activity needs to comply with financial reporting requirements.
- Market risks: The internet makes it easy to sell goods and services anywhere in the world. And this is a wonderful opportunity unless of course the goods and services you sell are illegal in certain countries, as David Caruthers found out to his cost.
- Emerging technology risks: There are a number of emerging technologies that are likely to have risks associated with them, risks that are currently poorly understood. For example, the use of autonomous machines may involve the user being put at risk and the owner of the machine being held responsible. The difficulty here is that the law I still very unclear. In the case of autonomous machines involved in an accident, it is the user, the owner, the manufacturer or the software designer who will be held responsible?
None of this is easy. But why should it be. Business is all about the acceptance of an appropriate level of risk. If top management engage with technology so that they are able to quantify risks, express their risk appetite and instigate appropriate risk management digital technology is likely to be highly beneficial. It is the failure to treat the risks seriously, or to ignore them altogether that will bring problems. Digital risk is far more than cyber risk and organisations need to accept and understand that.