Business disruptions abound these days, affecting governments, countries, organizations, communities and individuals. From cyberattacks to natural disasters to outbreaks of illness, these disruptions spotlight critical risks we should all think about. A few I’ll highlight today are business resiliency risk, risks of using third parties, and dynamic workforce risks.
Business Resiliency Risk – as organizations continue to globalize and interconnect, they are exposed to more disruptions. A multi-national company could be affected at multiple sites, and if their distributed model also serves as a resiliency strategy, it could quickly become obsolete.
Organizations of all size and scope need resiliency, backup or recovery plans – whatever you want to call them. These plans make the organization prepared ahead of time so that they can react before, during and after a disruptive event. You might have different plans or strategies depending on the event. For example, although some elements may be similar you will create different strategies for responding to a cyberattack than you will a natural disaster. Resiliency plans need to be backed by measured risk analysis to respond to potential impacts to the organization. An effective risk management practice will balance potential disruption with reality, which can be a mix of art and science. Plans should include past experience, testing and good judgement. I highly recommend all organizations – regardless of size – perform their own risk assessment to clearly understand the immediate and imminent risks they face and act appropriately to mitigate the risks.
Third-Party Risk – third parties are often as important to the organization that uses them as their own internal workings. In fact, I would argue that an organization cannot be as resilient as they should be without ensuring the resiliency of their critical third parties. Since resiliency includes both operational and IT resiliency, it’s critical to evaluate when onboarding new vendors, as well as reviewing the capabilities of your existing third parties. A good rule of thumb is your third parties’ resiliency goals should very closely match those of your organization. If they don’t, identify the gaps and act to resolve the differences.
Another important rule of thumb that has really hit home lately is the need to diversify your third parties. Part of diversification should consider the vendors’ locations, if they are a single point of failure to your organization, and more. There are always cost considerations, but effective risk management should consider the cost/benefit equation of each third party separately.
Dynamic Workforce – Many organizations have moved towards offering remote work options more extensively. The workforce model itself has evolved from 100% full-time employees onsite, to using more gig, contract, third party and other non-traditional workers in a variety of shifts, roles and locations. This has been done for business reasons and to leverage digital transformation, but it is also an effective resiliency and workforce continuity measure. Before adding remote work options as a resiliency measure, consider developing appropriate work-from-home policies, practices and secure remote access support for workers. Your IT department should weigh in on this strategy as they’ll need to implement communication and computing strategies to accommodate remote workers, help desks to support them, and backup procedures to ensure IT infrastructure is resilient. Maybe most importantly, security measures - such as adequate access and authentication measures should be implemented to keep workers, systems and data safe.
These are a few critical risks to consider, but there are likely others affecting your organization. Effective risk management can help you identify, assess and reduce impact of the additional risks specific to you so that you are better prepared for the next disruptive event.
Author: Patrick Potter
Category: RSA Fundamentals, Blog Post, Securing the Digital World
Keywords: Cybersecurity, Business Resiliency, RSA, RSA SecurID, RSA Archer, Business Continuity, Workforce Continuity, Cyber Resiliency