Common misconceptions surrounding GRC implementation

November 14, 2016

A common misconception regarding IT GRC is that IT threats are only problems for governments and Fortune 500 companies; however, all businesses, regardless of size need to ensure adequate IT risk management strategies are in place. The rise of cloud networking, remote working, and digital collaboration have made companies more vulnerable than ever.

The risks from these changes are highlighted by Mike Gillespie, director of cyber research and security at The Security Institute.

“We have an increasingly diverse and mobile workforce and, for several years, have been adopting flexible IT systems to accommodate the new and convoluted needs that have been the result of all this change. Whether it is mobile devices, online or cloud services or remote access to back-end services, they all pose increasing challenges when it comes to access control.”

The recent Yahoo data leak is but the latest example in a long list of IT GRC failures. If even major tech firms like Yahoo can fall victim to IT threats, companies in other sectors, especially tech-reliant start-ups, should pay serious attention to IT GRC.

IT GRC is tricky, since start-ups and tech firms often cannot look to places like Wall Street for guidance or best practices. For instance,a survey conducted by FIS, a financial services technology consultancy, 77% of participating banks viewed cyber security as their biggest risk. Yet only 18% adopted the updating and reporting mechanisms prescribed by the US government.

Multiplication of vulnerable access points

The risks associated with incomplete IT GRC need to be taken seriously. While IT risks can severely impact brick-and-mortar firms, many start-ups and more established companies operate purely in digital space. Running a company entirely via the digital medium has its advantages, yet this only also makes any breakdown or interruption in operations crippling.

This is especially true given the reliance of many companies on third party sharing, networking, and cloud solutions. Many of the most commonly used solutions, such as Google Drive or Whatsapp, are not explicitly designed for business use. This combined with the rise of remote working has seen a fragmentation of access points in company IT systems.While storage and management has been centralized in the cloud, employees now work from their homes, cafes, on public transit, and in pay by the hour urban office facilities. Consequently, the number of often un/under-secured access points has strongly increased. Home computer networks are also increasingly becoming part of the informal IT infrastructure of many companies, as remote and teleworking trends have continued to grow.

Cross-contamination between personal and work computers (often the same role is undertaken by the same device) risks the entry of various forms of malware or unwanted access, and also creates a sieve through which company data can be forgotten on external devices.

Another issue is the use of open or public networks. While most are aware of the risks presented by these networks, many employees also spend ample time in cafes, conference centres, hotels, airports, and other venues doing work. As the line between working and private hours continues to blur, ‘private’ devices will continue to interact with company IT infrastructure at these digital no-man’s lands.

How to approach IT GRC

One may consider that the solution to these problems is to manage the technology used by employees in order to minimize risks. While instituting employee best practices and other technology-centric measures are useful, this approach has two problems. Firstly, these types of countermeasures are usually implemented after the fact, with little to no proactive protection. Moreover, these measures are often conceived as after-thoughts. Secondly, these measures end up inhabiting an semi-formal set of norms that are not integrated into wider company GRC practices.

Instead of viewing IT GRC as a technology-only issue; one that is relegated to hardening access points, companies need to take a more holistic approach. Specifically, businesses need to take a business risk management centric approach, one that incorporates IT GRC into an integrated, responsive, company wide, GRC system. This puts IT GRC alongside other GRC risks factors, allowing decision makers to implement solutions that can tackle any vulnerabilities stemming from the interaction of IT and other GRC risk vectors.

In other words, by incorporating IT GRC into a company’s overall GRC framework, employee interactions are moulded from the bottom up, with checks at all levels and types of access points. Bandaid solutions on existing IT frameworks that do not incorporate GRC considerations are not the solution.

Another advantage to organizing IT GRC in this manner is that it makes securing resources for IT frameworks and security budgeting easier. Management then views IT GRC as a fundamental consideration that affects operations. This engages management and facilitates synergy between management and IT departments. This business risk management centric approach is better than the common technology-centric approach which sees management delegate all IT issues (and therefore all potential IT GRC issues) to tech departments. These departments firmly operate on a technology-centric, patch-work solution level, thus only further exacerbating any system-wide IT GRC vulnerabilities.

Look at our article about compliance with california consumer.