A comprehensive risk management strategy includes everything from rigorous software testing to how you choose between cloud-service vendors. It informs all your IT decisions and can play a major role in your ability to avoid Errors and Omissions lawsuits (and avoid major financial losses from any E&O suits that arise).
Given the wide-ranging nature of risk management, it's easy to overlook certain areas. Let's look at four common mistakes that can undermine an otherwise solid risk management strategy:
- Failing to understand third-party risks. IT consultants who use third-party software and services are exposed to risks they might not even see. Because you are liable for client data even when third parties store it, you need to make sure third parties are using proper security protocol to protect data once it leaves your network. If you consult for a medical business, any third-party software or service will have to comply with HITECH regulations. It's your responsibility to verify this compliance. If you don't, you could be sued for professional negligence. (Surprised? Read more about how strict HITECH security standards are in the blog post, “HITECH: The Strictest Data Protection Law.”) Bottom line? Don’t assume that third parties are taking the necessary precautions to protect data. Recently, both Yahoo and Microsoft admitted they don't encrypt data when they sent it between servers, which potentially exposes millions of users to cyber attacks.
- Not recognizing interconnectivity of risk. IT connects many (if not all) parts of a business, but some risk management plans assess IT risks as if they were independent and easily contained. In reality, when one IT project fails, many areas of a business can shut down. What does that mean for you? IT businesses are sometimes sued for their clients' lost profits. In other words, if software you install has ongoing problems, a client could sue you and claim that the software's problems hurt productivity and cost them sales. Faulty web pages or apps could lead to lawsuits that allege you "damaged" a client's brand by putting out substandard products.
- Failing to assess new risks. Risks – especially security risks – change all the time. Attacks using digitally signed malware (e.g., malware that passes through security by using stolen Microsoft certificates) have gone up by more than 1,000% over the last few years. Ransomware has grown at similar breakneck speeds, so that in the last week in October alone there were over 10,000 cryptolocker ransomware attacks.
- Not accounting for human error. As an IT project manager, you produce the infrastructure that connects the different parts of a business. That role forces you to focus on the many technological ways a project could fail, but may leave you blind to one of the most common sources of security breaches: human error. Many system failures and data breaches occur when employees simply make mistakes. A client could download secure data from the cloud and leave it on a non-secure desktop at home. In order to prevent these kinds of human error, remember that your job is also about teaching clients to use software, cloud computing, and other IT solutions in the most secure ways. Often, clients need you to show them how to take advantage of the security you build into their systems.
As you build a comprehensive risk management strategy, don't forget to weigh the benefits of IT business insurance, which can cover the costs of Cyber Liability and Errors & Omissions lawsuits.