For many people, the first things that come to mind when thinking about IT risk are cyber security, disaster recovery and GDPR. However, there are many more areas to consider to effectively predict and mitigate issues relating to technology and data security. David Edge, solutions manager at Central Networks and Technologies, shares his thoughts on how to effectively manage IT risk in the housing sector.
ISO27001 is the most well-known international standard for managing information. Many people wrongly believe that it is a rather bureaucratic IT security standard; in fact, it’s a risk-based approach to managing your information assets, most of which happen to be technology-based.
Housing providers hold and share vast amounts of personal data. This can include anything from birth information to health conditions. Tenants’ data is sometimes shared with other organisations and they must protect their privacy in all cases. Policies and procedures must be in place for data storing and sharing, but in a sector that has limited funds and is often under-resourced, some organisations may feel that adhering to standards such as ISO27001 is too difficult or too expensive. However, many of its principles can be adapted to allow for effective IT risk management.
As the standard is risk-based and requires the development of a risk treatment plan, housing providers can take a broad, commercially-focused view on what they need to do to mitigate IT risk.
ISO27001 encourages organisations to think beyond typical IT threats such as viruses, account hacking and fraudulent payment requests or the loss of personal data. Instead, it focuses on the risk of compromising the confidentiality, integrity and availability of an organisation’s information assets.
It also prompts the consideration of a range of assets, and this is the key to IT risk management. IT outages, disruptions and data loss may not come from obvious places so organisations need to be sure that they have covered every aspect of their organisation and possible risks. Let’s look at the core information assets to consider.
One of the most significant risks relating to people is IT key person risk. For smaller housing providers with relatively few staff and perhaps older legacy business applications, there are often critical individuals who are the only ones who know how a system works and can be supported, and even larger housing providers can inadvertently fall into this trap. Considering people is also about how they behave, what processes they follow and how you educate them to help reduce IT risk.
No matter how much you spend on cyber security, a weak point in any IT system is the physical access to buildings, office space and data centres. These assets also need protecting from fire, flood, power outages and other disasters.
Most organisations rely on specialists for contributing to their IT capabilities. Some may only supply support, some might host systems or others may process personal data. An organisation must understand who their IT suppliers are, what they do and what contractual protection you have with them.
Housing providers need to consider all types of hardware, from mobiles and laptops to servers and storage. Identify what threats there are to any hardware and whether you are effectively mitigating those threats. This will vary from theft (a high risk for mobile devices) to catastrophic failure (a high risk for server equipment).
Possibly the most important part of IT risk is data; where it is stored, how it is structured, processed and transmitted. An assessment of the threats and vulnerabilities associated with your data should form a significant part of your IT risk register.
Although this is an area that is often overlooked, organisations must protect their identity, processes and their software appropriately.
How do I know if I have considered all IT risks?
This is almost impossible to guarantee but there are ways to help with assessing your IT risks. When you construct your initial risk register, make sure you have brainstormed all of your asset types with your team. You should then consider any threats they face and your vulnerability to those threats. Try to find a list of standard threats and vulnerabilities online – organisations such as Advisera offer ideas to help assure you that you have considered everything.
Housing providers and their environments change, and so do their risk profiles. It’s essential to continuously review your risks and refine them in light of changes to your organisation. Reflect on recent incidents that might have highlighted new risks that you may not have previously considered.
Reducing IT risk
The main approaches needed by organisations when looking at mitigating IT risks are prioritisation, risk acceptance and thinking outside the box. You can’t reduce all risks at once, so developing a prioritised roadmap allows you to reduce the biggest ones immediately and helps make risk reduction commercially feasible.
It’s also important to accept that you simply can’t completely mitigate all your risks. There will always be some risk to accept. Many organisations choose to insure their IT. For example, cyber cover offers you insurance against the cost of recovering from a cyber incident. Once you have identified and graded your risks, your team needs to agree on acceptable risk levels; you can then aim to reduce them to that level or even just monitor risks that already fall below that level.
ISO recommends several options for reducing risk. They include:
- Technology controls such as end-user device protection, encryption, firewalls, patching and identity management.
- Physical controls such as ID card and building passes, CCTV, fire suppression and server room controls.
- Employee education curriculums and delivery tools.
- IT policies that are clearly communicated and audited, together with a range of procedures which ensure that the policies are adhered too.
- Supplier management and due diligence controls which ensure that your partners work to your standards.
- Privacy by design and project risk. Make sure that any of your projects, organisational changes or IT initiatives consider information security and risks.
With such high stakes, housing providers must manage risk effectively. It is important that they continuously review their IT risks and refine them in light of any changes.
Even though some organisations might feel that adhering to ISO27001 is too difficult or expensive, many of its principles can be adapted for effective IT risk management. Housing providers can do this by being agile in their approach, prioritising risks, accepting some risks and developing a risk treatment plan to tackle any potential issues.
David Edge is a solutions manager at Central Network & Technologies.