|
It was one of the more spectacular local business catastrophes of 2009, but thanks to some foresight with disaster recovery planning this was a sad story with a happy ending.
On October 16, a massive fire engulfed Corporate Consumables’ Mt Wellington warehouse in Auckland. One witness working across the road reported that the fire, which was fought by 80 fire fighters using 18 appliances, appeared to take hold of the building “in a space of seconds” after he first noticed flames.
As well as razing one of the company’s three supply warehouses, the blaze also destroyed its administration area and contact centre.
For a business selling to over 20,000 customers, the loss of call centre functions is clearly a disaster. Corporate Consumables initially tried a work around approach to getting the business back up and running, diverting calls to another office, but found they were losing business.
So, two days after the fire, they initiated a Disaster Recovery Plan they had in place with their call centre solution provider Zeacom. Zeacom installed a new contact centre in rented premises and had it operational and back to ‘business as usual’ within 24 hours.
While the Corporate Consumables’ example highlights the benefits of planning for the unexpected, recent research suggests too many New Zealand businesses are not adequately preparing for the risks they face.
The 6th Annual Global State of Information Security survey, conducted by PricewaterhouseCoopers, polled more than 7000 IT executives around the world, including 90 in New Zealand.
The survey found that while New Zealand organisations’ approach to addressing security concerns is improving, they continue to lag behind the rest of the world in their approach to certain aspects of security risk management practices.
Only a small proportion of New Zealand organisations conduct a formal risk assessment of security, for example, and around a fifth did not know how many security breaches they had experienced over the past year. By comparison, only 7 percent of organisations in China did not quantify the number of breaches they faced over the past year.
“If you don’t have a formal risk assessment process it’s difficult to understand where you should be focusing your efforts. That was a standout finding of this year’s survey,” says Auckland-based PricewaterhouseCoopers partner Paul Nickels.
Meanwhile, PricewaterhouseCoopers’ separate 2009 Global Economic Crime Survey paints a similar picture of a lack of a formal approach being taken by local organisations when it comes to fraud risk assessment.
Of the 85 New Zealand organisations taking part in the economic crime survey, 42 percent said that they had suffered fraud in the last 12 months. Surprisingly, New Zealand had the eighth highest rate of fraud out of the 54 countries that took part in the survey.
73 percent of frauds in New Zealand were committed by someone within the organisation and for public sector organisations this figure was 89 percent. The average cost of fraud was $491,000 with one organisation saying fraud cost them over $7 million in the last 12 months.
Since PricewaterhouseCoopers’ earlier 2007 economic
crime survey, there had been a significant shift towards
fraud being committed by middle and senior management.
The latest survey found a third of fraud was discovered by accident, not through formal procedures.
Business planning
The findings from the two surveys suggests a large proportion of NZ businesses are not doing risk reviews on their broader business, says Nickels.
“It’s a good basis for allowing you to prioritise where you should be focusing effort. It’s like having a business plan. If you don’t have a business plan how do you know where you’re going to go, where do you want to go and how are you going to get there,” he says.
“In some sense – the two link together – if you’ve got a business plan you want to be doing a level of work to understand what are the key risks that might prevent realising the plan. If you’ve got those nutted down you can begin to manage them.”
Nickels says risk assessment should not be an onerous activity for an organisation to commit to. It need not be resource intensive or demanding when compared to the amount of time businesses typically spend developing business and operational plans.
“Risk management should be part of all planning processes, a separate process performed on its own,” says Nickels.
“If you get the right people in the room together you can quite quickly nut this through over a couple of days or even less than that.”
Whilst the economic crime survey showed 29 percent of New Zealand organisations have not performed a fraud risk assessment in the last 12 months, Nickels says undertaking a fraud risk assessment is one of the most valuable activities an organisation can carry out.
“Compared to our 2007 survey, we have seen a significant drop in the amount of fraud detected by internal audit.
Respondents said that this is because cut backs meant fewer resources were deployed on internal controls and internal audit were being asked to do more with less.”
CIO juggling act
When it comes to risk management specific to the IT side of a business’s operations, there are some specific issues to be aware of, Nickels says.
“It’s been tough being a CIO over the past year or two – they’ve had a lot of focus on them from the perspectives of performance and also cost containment.”
On top of that, there is growing pressure for IT to “reconnect with the business” – to prove it's talking the same language as the rest of the organisation when it comes to shared goals and focal points.
“The challenge for CIOs is to be able to drive change to the extent that they can be responsive to the disruptive technologies that are coming through, such as cloud computing, software as a service, mobility and anytime access. If they can’t get the basics right like getting security set up properly, the chances are their focus is not going to be on grasping the disruptive technology opportunities that are in front of them.”
There is a need to be more innovative and this will include moving away from the historical mindset towards doing risk assessment in a formal planned way, taking more opportunities by embracing some of the uncertainties that result from deploying disruptive technologies, and carrying out pilots involving those new technologies, although in “a safe way”.
“One of the challenges for the CIO going forward is to be able to articulate risk such that they can be more embracive of experimentation of new forms of technologies. This will enable them to proceed on a very informed basis. No one wants to be in a position where something goes wrong and all fingers are pointing back towards the CIO,” says Nickels.
“That’s quite a challenge for an individual and an organisation – but there’s a risk in not doing it.”
The risk of doing nothing is that innovative competitors will either take business off the more conservative organisation, or operate in a lower cost paradigm.
First steps
So what’s stopping some companies from embracing risk assessment as a core part of their business?
Over recent years New Zealand organisations have continued to improve their governance, risk management, and internal control practices, says Nickels, to the point where many now have an annual programme for doing so.
But for those yet to come to grips with the risk management discipline, taking the necessary steps in that direction requires developing a new level of corporate consciousness and having someone in the organisation committed to driving the process forward.
“Attitudes are changing, it’s just a question of whether they’re changing fast enough given the threats that are coming,” says Nickels.
|
Avoiding data loss and digital footprints
Mobiu USB data key targets mobile staff who need access to sensitive files while out of the office...
One key aspect of IT risk within an organisation is the accidental loss or theft of sensitive company data is a growing problem as staff spend more time working out of the office.
It’s all too easy to lose a thumb drive full of confidential information or unintentionally leave copies of work files on an internet cafe PC when checking emails on the road.
A USB-enabled product soon to launch into the New Zealand market, the Mobiu Smart Key, aims to solve these problems by keeping thumb drive data password protected and eliminating the “digital footprint” usually left behind after using a public computer.
Data stored on the key’s 1 gigabyte memory can only be accessed using a password and is backed up online.
Documents stored on the key can be edited and emailed by plugging it into a USB connection on any computer, without transferring any data onto the PC or laptop being
used.
With a SIM card integrated into the USB stick, Mobiu uses two-factor authentication to facilitate its secure remote desktop access, safe file transfer, sharing and storage functions.
IT distributor Excelerate Business Solutions has procured the Australasian rights to resell Mobiu solutions in the local market and plans to begin offering the product to New Zealand customers in early 2010.
For more information visit www.mobiu.com
 |
9/12/21_ex_h_m_nl
|
By Simon Hendery
|
New ISO standard signals risk management is maturing |
|
ISO 31000 aims to help organizations develop, implement and continuously improve their risk management framework...
In November international standards body the ISO released a new global standard, ISO 31000:2009, Risk management – Principles and guidelines, which it says will help organizations of all types and sizes to manage risk effectively.
ISO 31000 aims to provide principles, a framework, and a process for managing any form of risk in a transparent, systematic and credible manner within any scope or context.
At the same time, the ISO also published ISO Guide 73:2009, Risk management
vocabulary, which complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk.
“All organisations, no matter how big or small, face internal and external factors that create uncertainty on whether they will be able to achieve their objectives. The effect of this uncertainty is ‘risk’ and it is inherent in all activities,” says Kevin Knight, chair of the ISO working group that developed the standard.
“In fact, it can be argued that the global financial crisis resulted from the failure of boards and executive management to effectively manage risk. ISO 31000 is expected to help industry and commerce, public and private, to confidently emerge from the crisis.”
The new standard recommends that organizations develop, implement and continuously improve a risk management
framework as an integral component of their management system.
“ISO 31000 is a practical document that seeks to assist organizations in developing their own approach to the management of risk. But this is not a standard that organizations can seek certification to,” Knight says.
“By implementing ISO 31000, organizations can compare their risk management
practices with an internationally recognized benchmark, providing sound principles for effective management. ISO Guide 73 will further ensure that all organizations are on the same page when talking about risk.”
PricewaterhouseCoopers partner Paul Nickels says the arrival of ISO 3100 is a sign
that the discipline of business risk management is maturing.
Nickels’ advice, however, is that organisations should try to avoid getting caught up on the question of which standard they should follow.
“The first thing to do is to just get on and develop your own ‘commonsense standard’
then as that is implemented and bedded down within the organisation, look to improve
on it through the use of ISO, or another similar standard,” he says.
“What we see too often is organisations pick a risk standard like ISO and going from being able to crawl one day to trying to run a standards marathon the next.
It’s important to take small steps. If you’ve done some level of commonsense risk assessment then you can work out those areas of exposure which then you might do a deeper dive using one of the risk frameworks like ISO to aid you in that understanding.”
PDF and hardcopy versions of the New Zealand version of the new ISO standard, AS/ NZS ISO 31000:2009, can be purchased from the standards New Zealand website:
www.standards.co.nz |
IT security risk - By the numbers
Statistics compiled by security vendor Symantec paint a worrying picture of the IT threats faced by businesses:
• Spam volumes grew 192% between 2007 and 2008
• In 2008, Symantec documented 5,471 vulnerabilities, 80% of which were easily exploitable
• 90% of incidents would not have happened if systems had been patched
• In 2008 Symantec found 75,000 active bot-infected computers per day, up 31% from 2007
• 90% of IT security breaches in 2008 involved organised crime targeting corporate information
• 67% of breaches were due to insider negligence
• 285 million records were stolen in 2008, compared to 230 million between 2004 and 2007
• IP theft costs companies $600 billion globally
Economic Crime
The percentage of respondents who reported they had experienced actual occurrences of economic crime within the last 12 months:
Source: PricewaterhouseCoopers 2009 Global Economic Crime Survey
|
NetSafe launches Cybersafety Resource for Businesses |
|
Whatsit business security resource website simplifies IT security policy implementation, especially for smaller businesses...
Online safety organisation, NetSafe recently launched an online cyber-safety technology service which should prove a valuable tool for small to medium-sized New Zealand businesses wanting to address aspects of ICT security risk.
NetSafe’s “The Whatsit” is a free online resource designed to create effective and appropriate ICT policy and procedures to ensure intellectual property and information is protected, provide targeted and effective education about cybersafety, and save business money by better utilising ICT spend.
NetSafe executive director Martin Cocker says the idea for The Whatsit came from New Zealand SMEs.
“We undertook some research into cybersafety and security practices of NZ SMEs, back in 2005. The findings showed that the majority of SMEs had incomplete or inadequate cybersafety, security processes and policies,” Cocker says.
“Later, workshops showed that SME business owners wanted to improve cybersafety and security in their workplace, but lacked the resources and technical skills to do so.”
He says The Whatsit (www.thewhatsit.org.nz) addresses all of these issues.
“Owners of small to medium businesses are often busy with the business of business.
They simply don’t have the time or the money to create policy about use of technology in the workplace, and it is not until something goes wrong that businesses look to put something formal in place. Often by then, it’s too little, too late,” he says.
“In business, information can be worth a lot of money – or conversely, not being able
to access stored information, communicate with customers, or losing valuable intellectual
property because of a computer virus, hacker or malware can be very costly and damaging.”
Business and personal use of ICT devices has become more prevalent in recent years, and with it the threat to business, says Cocker.
“Businesses rely on ICT technology to communicate, maintain accounting and customer records, and store other commercially sensitive information. Many owners are simply unaware of the risk posed by having unrestricted access to company computers and technology.
NetSafe worked with industry experts and lawyers to create the policy used by The Whatsit.
“By investing just half an hour’s time with The Whatsit and answering a few simple questions, a business owner can access independent advice about ICT potentially saving thousands of dollars as well as create a customised
ICT policy for free,” says Cocker.
“From there they can begin to communicate the newly formed policy to their team, raise awareness of the importance of safeguarding company ICT and minimise risk to the business.”
Small business specialist and Bizzone managing director Sarah Trotman says that Whatsit meets an important need for many businesses that don’t have the resources to implement an IT policy but who still depend entirely on security of their IP and information.
“This type of policy provided by Whatsit would cost many hundreds if not thousands of dollars to create from scratch.
The Whatsit is a must-have and valuable resource for most New Zealand companies and in these tough times is a timely helping hand for business owners and their employees.” |
|
