Risk Management

The Latest

27 March 2021: Google has announced programs with two US-based insurance companies where clients taking up Google Cloud Platform security capabilities will receive discounts on cyber insurance premiums. 

Why it’s Important

The number of serious cyber incidents is on the increase and insurance premiums in the US have tripled over the last two years. Having a cyber incident response plan in place helps mitigate the risks and reduces the recovery time from a cyber incident, but also contributes to lowering the premium for cyber insurance. It is akin to having fitted window locks to a house, lowering insurance premiums in certain circumstances.

Google’s security posture, and threat assessment services, and services to manage security incidents effectively are sufficient to both reduce the frequency of security incidents and lessen their impact. Insurance actuaries see the benefit in such services and have determined there are savings to be made by the lower risk and risk mitigation profiles. 

Notwithstanding any special programs brokered between Cloud vendors and insurers, being able to demonstrate both a strong security posture and, importantly, an incident response plan will drive down an organisation's premiums, especially as insurance companies are inserting their own teams into incident response situations. 

Who’s Impacted

  • CIO
  • Development team leads
  • Business analysts

What’s Next?

If not already done, organisations should undertake a cyber risk assessment and implement a cyber incident response plan backed by appropriate cyber insurance. 

Related IBRS Advisory

  1. Improving Your Organisation’s Cyber Resilience
  2. Incident Response Planning: More Than Dealing with Cyber Security Breaches and Outages
  3. How Does Your Organisation Manage Cyber Supply Chain Risk?
  4. Why You Need a Security Operations Centre

The Latest

9 March 2021: Dropbox has acquired DocSend for US$165 million. This is a welcome addition to managing the risks associated with information management in a collaborative environment. 

Why it’s Important

Dropbox’s acquisition is not about organic growth, as DocSend’s client base of 17,000 users is dwarfed by Dropbox’s estimated 600 million. The deal is more about positioning Dropbox against the likes of Adobe Document Cloud, by allowing organisations to track what happens to information once it is shared. Being able to manage and track document access is a critical aspect of modern, enterprise-grade file sharing which is needed for secure collaboration. It is a feature missing in most collaborative platforms - at least out of the box. 

Who’s impacted

  • CIO
  • Development team leads
  • Business analysts

What’s Next?

Being able to manage access and track who’s accessed a document is a good start for closing the governance issues of most collaborative platforms (e.g. Teams, Slack, Zoom, Zoho, etc.)  However, organisations should look at adopting a zero trust model for information assets, involving identity management linked to access controls and an ‘encrypt everything by default’ mentality.  

Related IBRS Advisory

  1. Did Dropbox just break knowledge management?
  2. IBRS survey exposes Teams risk - The Australian - 21 January 2021
  3. Microsoft Teams governance: Emerging better practices
  4. Data loss by the back door, slipping away unnoticed
  5. Workforce transformation Part 2: The evolving role of folders for controlled collaboration

Conclusion: In the current COVID-19-driven environment, video conference calls have become the stuff of life. They are used for school, family, leisure and even work. Numbers of call attendees have jumped from tens of millions to more than 300 million worldwide. As is normal in technology, there are a plethora of options to choose from.

One of those, Zoom, has made the news repeatedly over the period of April-May, initially because of its popularity but then because security flaws were being discovered. With the flaws seemingly serious, commentators were recommending organisations abandon Zoom. Many organisations did so, given the amount of coverage the flaws received.

But the product was and is popular. It is one of the easiest video conferencing products to use. It works well and is simple to deploy. A valid question to ask is whether Zoom is safe to use for business purposes. Taking a realistic view of the flaws combined with efforts Zoom has made to correct some of them leads to the conclusion that Zoom is safe for general business usage.

Conclusion: Risk assessment tools help protect and support staff and minimise business disruptions by following Australian risk management (and health) guidelines.

Conclusion: A Cloud strategy can take many forms. Whether you select a private Cloud, hybrid Cloud (on-premise with Cloud elements), native Cloud or a multiCloud implementation will impact the framework of your strategy. The success of your strategy will be driven by the motivation your organisation has to elect the move.

If your only motivation is the perceived cost model where you reduce capital in favour of operational expense, and potentially see savings based on usage, you are unlikely to succeed. The need to have a clear business strategy on why Cloud, what opportunities it may bring the business, and how to transition, manage and exit the Cloud is essential to see the true benefits.

Key to a successful strategy is to use an effective framework that allows your organisation to migrate to, operate and govern the engagement, and exit the engagement. A Cloud strategy is a commercial arrangement. Understanding the business benefits of entering into a Cloud contract engagement and being able to measure success factors is equally as important as the selection of providers for functionality and cost. It is important that you step into Cloud with your eyes wide open.