Tag Archives: technology risk

Immediate Vault Immediate Access

3 Things Every Organization Should Do to Protect Against Cybercriminals

Posted on by

Cybersecurity should be a top priority for organizations today, especially as employees continue to work remotely without business-grade protections. In the age of COVID-19, businesses are more vulnerable than ever. Whether it is phishing scams or malware, hackers are constantly finding new ways to attack businesses. In fact, in March 2020 alone, scams increased by 400%, and have continued to increase since then.

It is vital that employers protect their organizations and employees from cyberattacks, especially now. As new scams develop, businesses must create new ways to stave off hackers. Many steps can be taken to implement—and enforce—security measures as part of daily procedures for employees. By focusing on just three strategies, organizations can help better protect themselves from phishing scams and other cyberattacks.

1. Create a Comprehensive Plan

As organizations transitioned to remote work, employers had to make foundational shifts to adapt. The same is true for security threats. Cybersecurity measures need to become part of everyday routines and tasks. This means creating a plan to protect all assets and boost security in business processes.

Each organization’s security strategy also needs to align with its specific business risks. Performing risk assessments will allow employers to determine where they need to invest in cybersecurity. It is important to identify key digital assets within networks and personal devices so that employers can determine how to best protect them.

Once an organization’s risks are assessed, it can create a plan to suit these needs. For example, a cybersecurity strategy may include secure remote access or virtual private networks (VPNs), especially for virtual workers, to protect devices from threats posed by public internet connections. Other strategies include implementing multi-factor authentication, assigning access permissions to employees and maintaining regular backups.

2. Prioritize Investments in Cybersecurity

Protecting an organization requires the proper tools. A trustworthy security framework is a vital aspect of managing risks. For many remote or hybrid workplaces, areas like cloud and or software as a service (SaaS) security are top of mind. To manage and protect these environments, organizations should shift to software-defined networking (SDN) with secure access and/or secure service edge capabilities.  

Firewalls are also an important aspect of security, as they place a barrier between trusted internal networks and the outside world. Maintaining end-to-end security has become even more difficult in the age of remote work.

Investing in threat-monitoring and endpoint protection tools can also help. While there is no silver bullet to combat the myriad threats, layering cybersecurity methods helps create “defense in depth,” better positioning the organization to face whatever specific cyberrisks may be exploited next.

3. Take the Time to Train Employees

Strategy and security are futile without proper training. Organizations must commit to continuously training employees so that they are not only aware of what cyberattacks to watch for, but what to do if they notice something. This means ensuring that employees are comfortable reporting scams. By starting training during onboarding and conducting it regularly as scams evolve or emerge, workers can shift from liabilities to assets.

Cybersecurity training ranges from phishing testing to password and device management. Employers must teach workers to update their systems, be cautious with external devices like flash drives, and practice physical device security.

Reaction is just as important as prevention. Organizations should have a plan for employees if they fall victim to a scam or notice something unusual so IT or information security professionals can solve the issue as quickly as possible and mitigate the damage.

Ignoring cybersecurity is a huge risk, as cyberattacks can have serious consequences for businesses and their customers, suppliers and partners alike. It is critical to develop a strong cybersecurity strategy and invest in resources and training. Security is continuing to increase in importance as remote work remains and threats rise. By understanding the issues, challenges and potential threats of a cyberattack, organizations can determine what steps and precautions can be taken to decrease the likelihood of a cyberattack in the future.

RIMS TechRisk/RiskTech: Emerging Risk AI Bias

Posted on by

On the second day of the RIMS virtual event TechRisk/RiskTech, CornerstoneAI founder and president Chantal Sathi and advisor Eric Barberio discussed the potential uses for artificial intelligence-based technologies and how risk managers can avoid the potential inherent biases in AI.

Explaining the current state of AI and machine learning, Sathi noted that this is “emerging technology and is here to stay,” making it even more imperative to understand and account for the associated risks. The algorithms that make up these technologies feed off data sets, Sathi explained, and these data sets can contain inherent bias in how they are collected and used. While it is a misconception that all algorithms have or can produce bias, the fundamental challenge is determining whether the AI and machine learning systems that a risk manager’s company uses do contain bias.

The risks of not rooting out bias in your company’s technology include:

  • Loss of trust: If or when it is revealed that the company’s products and services are based on biased technology or data, customers and others will lose faith in the company.
  • Punitive damage: Countries around the world have implemented or are in the process of implementing regulations governing AI, attempting to ensure human control of such technologies. These regulations (such as GDPR in the European Union) can include punitive damages for violations.
  • Social harm: The widespread use of AI and machine learning includes applications in legal sentencing, medical decisions, job applications and other business functions that have major impact on people’s lives and society at large.

Sathi and Barberio outlined five steps to assess these technologies for fairness and address bias:

  1. Clearly and specifically defining the scope of what the product is supposed to do.
  2. Interpreting and pre-processing the data, which involves gathering and cleaning the data to determine if it adequately represents the full scope of ethnic backgrounds and other demographics.
  3. Most importantly, the company should employ a bias detection framework. This can include a data audit tool to determine whether any output demonstrates unjustified differential bias.
  4. Validating the results the product produces using correlation open source toolkits, such as IBM AI Fairness 360 or MS Fairlearn.
  5. Producing a final assessment report.

Following these steps, risk professionals can help ensure their companies use AI and machine learning without perpetuating its inherent bias.

The session “Emerging Risk AI Bias” and others from RIMS TechRisk/RiskTech will be available on-demand for the next 60 days, and you can access the virtual event here.

RIMS TechRisk/RiskTech: Opportunities and Risks of AI

Posted on by

On the first day of the RIMS virtual event TechRisk/RiskTech, author and UCLA professor Dr. Ramesh Srinivasan gave a keynote titled “The Opportunities and Downside Risks of Using AI,” touching on the key flashpoints of current technological advancement, and what they mean for risk management. He noted that as data storage has become far cheaper, and computation quicker, this has allowed risk assessment technology to improve. But with these improvements come serious risks.

Srinivasan provided an overview of where artificial intelligence and machine learning stand, and how companies use these technologies. AI is “already here,” he said, and numerous companies are using the technology, including corporate giants Uber and Airbnb, whose business models depend on AI. He also stressed that AI is not the threat portrayed in movies, and that these portrayals have led to a kind of “generalized AI anxiety,” a fear of robotic takeover or the end of humanity—not a realistic scenario.

However, the algorithms that support them and govern many users’ online activities could end up being something akin to the “pre-cogs” from Minority Report that predict future crimes because the algorithms are collecting so much personal information. Companies are using these algorithms to make decisions about users, sometimes based on data sets that are skewed to reflect the biases of the people who collected that data in the first place.

Often, technology companies will sell products with little transparency into the algorithms and data sets that the product is built around. In terms of avoiding products that use AI and machine learning that are built with implicit bias guiding those technologies, Srinivasan suggested A/B testing new products, using them on a trial or short-term basis, and using them on a small subset of users or data to see what effect they have.

When deciding which AI/machine learning technology their companies should use, Srinivasan recommended that risk professionals should specifically consider mapping out what technology their company is using and weigh the benefits against the potential risks, and also examining those risks thoroughly and what short- and long-term threats they pose to the organization.

Specific risks of AI (as companies currently use it) that risk professionals should consider include:

  • Economic risk in the form of the gig economy, which, while making business more efficient, also leaves workers with unsustainable income
  • Increased automation in the form of the internet of things, driverless vehicles, wearable tech, and other ways of replacing workers with machines, risk making labor obsolete.
  • Users do not get benefits from people and companies using and profiting off of their data.
  • New technologies also have immense environmental impact, including the amount of power that cryptocurrencies require and the health risks of electronic waste.
  • Issues like cyberwarfare, intellectual property theft and disinformation are all exacerbated as these technologies advance.
  • The bias inherent in AI/machine learning have real world impacts. For example, court sentencing often relies on biased predictive algorithms, as do policing, health care facilities (AI giving cancer treatment recommendations, for example) and business functions like hiring.

Despite these potential pitfalls, Srinivasan was optimistic, noting that risk professionals “can guide this digital world as much as it guides you,” and that “AI can serve us all.”

RIMS TechRisk/RiskTech continues today, with sessions including:

  • Emerging Risk: AI Bias
  • Connected & Protected
  • Tips for Navigating the Cyber Market
  • Taking on Rising Temps: Tools and Techniques to Manage Extreme Weather Risks for Workers
  • Using Telematics to Give a Total Risk Picture

You can register and access the virtual event here, and sessions will be available on-demand for the next 60 days.

Building Effective IT Disaster Recovery Plans

Posted on by

No matter how well-managed IT infrastructure is, there is always the risk that a tiny hiccup could ultimately turn into a real emergency. Given the increasing reliance on technology tools and access to business-critical data to continue operations, every business should have an effective IT disaster recovery plan in place to minimize disruption when disaster strikes. Risk professionals must consider and plan for this situation with regular testing and run-throughs to ensure that all team members understand the recovery plan and know their responsibilities.

As natural disaster season begins, risk professionals should assess the risks and mitigation strategies in place to minimize disruption and losses. The following tips can help ensure that IT disaster recovery plans are as effective as possible:

Plan in the Risk Management Context

Instead of thinking too much about what a disaster would mean for your company, frame your recovery plan in the context of risks. Start by examining which risks your company faces, and what steps you can take to minimize each one. This will ensure that all teams are fully aware of what the risks are, and how they can make a difference in eliminating potential problems.

Prioritize Communication

Nothing exacerbates a disaster like a communications breakdown, so all good recovery plans should focus on communication. The onset of an IT disaster could impact communication systems, so plan an alternative way of communicating with teams in the event of an emergency. Ensure that all team members know the backup communication method, and that everyone understands who they need to contact to inform them of the situation. 

Protect Data Continuity and Backups

Data continuity planning is critical to minimize losses during a crisis. At its essence, data continuity ensures companies have alternative processes and infrastructure in place to allow key IT operations to remain intact, taking into account both hardware and software. A first step is often to invest in failover systems across multiple locations as well as backup generators and power supplies, and ensuring you keep them all in working order.

Data continuity also involves backing up all important data and storing it in a location away from potential disruption. Methods range from server replication to continuous protection (continually backing up data on a separate server). For data back-ups, businesses often choose disk-to-tape or disk-to-cloud models. Either way, the most crucial element of backing up data is knowing what to replicate and what to leave. Archiving everything available can mean greater expense, but being selective can increase the risk of losing information. The rule of thumb is that, as a minimum, any backed-up data should be capable of restarting business operations from scratch.

Define Acceptable Downtime 

The amount of downtime that a company can feasibly take varies considerably depending on the company’s size and the products or services it provides. Think about how a disaster could affect your company, then decide on the steps that you’d need to take in different potential scenarios. In most cases, a few minutes of downtime rarely constitutes a total disaster, so focusing on recovery plans that can get systems back up and running as quickly as possible will help keep losses as low as possible. Cloud-based technology can be very helpful in such disaster scenarios since data is off-site and services stay operational even if your physical location is impacted.