Top Information Technology Risks 2013

Enterprise risk management (ERM) is a continuing responsibility that requires monitoring the environment for changes in the nature and severity of risks, and responding accordingly. In this column we’ll consider some of the top risks relating to information technology for 2013.

1.    Cyber-threats including malware. The ever-escalating “arms race” of malware continues and is in fact increasing. The global community of hackers is highly coordinated and highly effective. This requires an effective enterprise response including security software, user training, and policies and procedures in order to safeguard our systems, networks, and information.

2.   Social media technology. Use of social media has become increasingly important to efforts in areas including student recruitment and alumni relations. Risks associated with social media are twofold: unfavorable content and a pathway for introducing malicious software, particularly since commercial software providers are now integrating their products with social media sites, making risk mitigation very difficult.

3.   Identity management (IdM) and user authentication. Achieving an effective posture in this area requires several components. Authoritative administrative functions and systems that certify students, employees, and other members of our institutional communities are vital. A fundamental shift in recent years demonstrates another critical component: a central user authentication system, or directory.

4.    Integrity of institutional systems and data, particularly concerning compliance and decision-making. Our institutions have become increasingly dependent upon data that supports decision-making. This is in addition to our requirements for accurate compliance reporting to state and federal agencies. All of this information comes directly from our systems and databases. If these lack integrity for any reason, our compliance is jeopardized and our decision-making compromised.

5.   Mobile technology. Mobile technology is increasingly an area of risk because of the malware being produced specifically for mobile operating systems, including the iPhone and Android. Because mobile devices are user-owned and because most security software hasn’t adequately addressed mobile OSs, this is an area of significant concern.

6.   Distributed computing technology and concomitant distributed information. Nearly all of us now “take the office with us.” But that means we also take information, including passwords. User education, virtualized access to systems and information, data encryption, and other strategies need to be pursued aggressively to mitigate risks in this area.

7.   Espionage and sabotage. The increase in state-sponsored cyber-terrorism is extremely concerning. Most of our institutions depend upon foreign students and provide them with substantial research opportunities, while simultaneously maintaining security and safeguarding intellectual property. This is critical for those of us whose institutions conduct research involving national security. Very likely this will ultimately result in increasing federal oversight and inter-institutional collaboration.

8.   Cloud computing. Cloud computing remains more connotation than definition, and while the concept has great potential, most current implementations are an area of significant concern. Both software as a service (SaaS) and cloud-based data storage such as Google and DropBox should be reviewed on many levels that include security, confidentiality, disposition of intellectual property, e-discovery fulfillment, and others.

9.   Human error. Human error is still considered by many analysts to be among the main causes of system and network outages. While it is essentially impossible to eliminate this as a risk factor, implementing best-practices to minimize likelihood and severity is important; rigorous internal audits and self-assessments policies and procedures can be enormously helpful if done well.

10.  Business continuity and disaster recovery. Disasters of both foreseen and unforeseen types are inevitable. The first level of response involves identification, preparedness, and avoidance or minimization of impact. Beyond this are the critical requirements for incident response, business continuity of mission-critical operations, and full recovery. Develop, implement, and formally test your protocol at regular intervals.

Information technology is a highly dynamic, rapidly evolving sector. So are the risks and threats that surround it, and the functions it provides for our institutions. Effective risk management is essential.  

David W. Dodd is vice president of Information Technology and CIO at the Stevens Institute of Technology. He can be reached at 201/216-5491 or [email protected].

About the Author

David W. Dodd is vice president of Information Technology and CIO at the Stevens Institute of Technology in Hoboken, NJ. He can be reached at 201/216-5491 or [email protected].