Nearly every modern-day business relies upon technology. Through the prolific use of computers, smart phones, tablets, or the Internet, businesses have built themselves on the back of technology. However, with such reliance comes the potential for some major technological risks.
Organizations face technological risks when its hardware, software, and/or online applications are compromised by cyber-attack or equipment failure.
In the current business environment, data breaches occur in organizations of all sizes. Personal records and financial information can be stolen and sold on the black market by criminals in a matter of days or even hours.
Every organization with a website or employees with smart phones has global exposure to cyber-attacks, which are difficult to understand and to predict.
However, technological risk can be mitigated. The following 7 steps found in the FITTskills Feasibility of International Trade training course show how your business can lessen the threat from technological risks.
1. Identify key risks, measure probability, and impact
Once the information is collected, organizations identify the key areas of concern and measure the probability of occurrence and impact on their business activities. This assists the organization in the development of a mitigation plan, should the venture move forward. Many organizations will hire IT specialists to assist with the process.
2. Analyze security threats
Organizations must identify any security vulnerabilities, which may occur as a result of the new international venture.
This can include external threats such as cyber-crime and cyber-terrorism, as well as internal threats, such as the distribution of restricted information. Organizations should review the security requirements related to the following areas:
- System access and controls
- Transaction authorization
- Data integrity
- Audit trail
- Security event tracking
- Exception handling
- System activity logging
In addition, organizations may want to perform system tests to determine any vulnerabilities related to security controls and system performance under recovery conditions.
3. Analyze risk of hardware and software failure
Organizations should consider what the risk of hardware and/or software failure entails for the venture and for overall operations. How stable is the equipment and software the organization uses or plans to use? What are the potential consequences of failure?
4. Analyze outsourcing risks
It is very common for organizations to hire third-party company to handle systems development and maintenance, network administration, disaster recovery services, application hosting, and cloud computing. It is crucial that organizations choose vendors carefully, in order to ensure their viability, capability, reliability, track record, and financial position.
5. Identify controlled technology
Some organizations buying and selling technology will need to research what constitutes controlled technology in their jurisdiction. For instance, in the U.S. there is a Commerce Control List (CCL) listing goods and technologies requiring permits in order to be exported from the U.S.. If an organization is trading in these items, it must analyze the required permits that must be obtained.
For export control purposes, ‘controlled technology’ means specific information that someone would need to develop, produce, or use goods whose export is legally controlled.
This information could be plans, manuals, models, and so on. It could be written, printed, recorded, saved electronically, spoken or passed on it some other way.
For example, most goods designed specifically for military use are controlled exports. Therefore, information for them, such as production drawings, is a controlled technology.
Organizations should access services and publications in the relevant jurisdictions to obtain more specific information about controlled technology and possible exclusions.
6. Measuring impact
Once the foreign physical asset risks have been analyzed, their potential impact must be measured.
Consider a hypothetical example of an Canadian confectionery company, CanCocoa. CanCocoa has decided to expand its e-commerce operations and is going to launch its business in the United States. The plan involves attending trade shows and events in the United States to launch the online store. CanCocoa is not currently planning on opening retail outlets yet but it is considering this for the future. CanCocoa is debating how to process the incoming U.S. order and customer inquiries. It is exploring whether to handle the orders in-house or outsource this work to a third-party company.
CanCocoa has hired a third-party IT consulting company to analyze the potential risks in this new venture. CanCocoa has identified a potential outsourcing company and has provided that information to the consultants.
7. Rank potential risks and specify desired outcomes
The consulting company takes the information CanCocoa has provided and ranks the potential risks. They provide CanCocoa with a threat profile summary, outlining the types of risk they could encounter as well as the likelihood of the risk occurring.
The threat profile provided to CanCocoa indicates the organization will want to look into mitigation strategies to address the priority issues, including cyber-crime, outsourcing, internal fraud, and hardware/software failure. The company may want to investigate another outsourcing provider that has more security measures in place to reduce its exposure to outsourcing risk. It may also want to look at a capital investment in more stable hardware/software before launching the venture. This analysis addresses the critical areas the company needs to fix before launching its newest venture.
Once the data is collected and analyzed, the organization reaches a decision point. This decision cannot be made by considering technology risk alone. Once all the risk factors have been analyzed, an organization must choose from the risk management options. These are:
- Risk avoidance
- Risk transfer
- Risk reduction
- Risk retention
An organization must prepare a strategy based off the risk management option they have chosen.
Has your organization been the victim of cyber-attacks? How did you handle the situation? Let us know in the comments down below.