Chapter 2: Managing Risk as an IT Professional
Now that you know where your business is vulnerable, you're probably eager for strategies to reduce your risks. That's good: a comprehensive risk management plan is an IT professional's best friend. This section explains how to implement
three key layers of a solid risk management plan:
- Client Education
The fourth essential piece of the risk management puzzle, Errors and Omissions Insurance, is a big topic. We decided to give it its own section.
Read on to get an idea of what you can do internally and externally to prevent the kind of incidents that lead to expensive liability suits. If you're curious about what might happen when, despite your best efforts, you're faced with a liability
suit, jump ahead to the section on E&O Insurance, where we go into all the juicy details.
But before we plunge into the specifics of risk management for technology freelancers, independent contractors, and small-business owners, let's review the basic principles of risk management.
Overview: Big IT Risk Management Mistakes to Avoid
Performing IT risk assessment and risk management is a crucial part of maintaining security day to day. Even if you're not conducting formal risk analysis on a daily basis, chances are you're doing the little things that strengthen your overall
risk management strategy: updating passwords, updating software, logging out of machines when you walk away, and keeping your office locked.
But are you leaving yourself and your clients exposed to data breaches, hackers, or viruses through channels you've overlooked? If so, you could be making one of these three common risk management mistakes, which cost too many IT businesses time,
energy, money, and reputation:
1. Forgetting about the risks your clients present. Whether you provide advice as an IT consultant, offer leadership as a project manager, or design and build site infrastructure, your clients expose you to serious cyber risks every day.
Why? Because of something called third-party liability. The cyber risk that tends to be at the top of people's mind is called first-party: the risk that your databases could be exposed by hackers. But if you set up an operating system for a client
or advise them to use a certain cloud provider and that OS or cloud system later permits a breach, you could be held liable for your role in causing it.
2. Underestimating the impact of human error. Sure, you're careful about maintaining your passwords and locking your tablet after you're done, but are your employees? Are your clients? A Verizon data breach study conducted in 2013 found that 74 percent of data breaches are "opportunistic" attacks, meaning that they happen because hackers notice a vulnerability
that they decide to exploit. Translation: we can prevent about three-quarters of data breaches by better protecting our data. Keep in mind that the less tech-savvy your clients are, the less likely they are to recognize the importance of protecting
their data and equipment.
3. Overlooking big-picture risk exposures. It's easy to get bogged down by focusing on the individual risks that threaten your company and forgetting to take a step back to look at the bigger picture. But often, you can save yourself
time and money by making a single big change (e.g., purchasing antivirus software for all your employees who use mobile devices for work purposes, rather than addressing individual virus incidents as they arise). Of course, knowing which changes to
make requires you to step back from time to time and analyze the larger context of various security events.
Overview: How Can IT Professionals Manage Risk Better?
The good news is that the same basic rules of risk management apply regardless of where your major risks are:
- Establish and enforce data security protocol. Update passwords regularly, update software as patches emerge, buy antivirus software, and limit access to sensitive data.
- Educate your clients about their role in keeping their data secure and preventing breach incidents. Encourage clients to purchase first-party Cyber Liability Insurance to cover the costs of any data breaches that happen.
- Communicate new risks with clients as you become aware of them. As the IT guru, you're more likely to have a handle on the latest viruses and security patches that might affect your clients. Do them the favor of alerting them
when you find out about these, and you'll make yourself more valuable while minimizing your potential of third-party cyber liability.
Read on for a more detailed look at how you can manage your risks through software testing, client education, and the use of strong contracts.
Next: Risk Management through Software Testing