How can the 33rd largest company in America compromise the personal data of 56 million customers? And how can a company that spent $1 billion dollars to “digitize” itself take nine months to identify a breach? Most importantly, how can a company once cited for leadership and success in risk management fail to…well, manage risk?
Cyber-crime expert Brian Krebs asks “Are we spending most of our money on trying to keep the bad guys out or trying to detect as soon as possible when the bad guys get in?” Krebs feels that Home Depot was too focused on identifying potential threats and wasn’t prepared to deal with the actual manifestation of one.
For companies concerned with cyber security, Krebs question is a good one. When technology moves at a pace nearly impossible to keep up with, how can organizations structure their control environment to mitigate risk? The answer isn’t found in your company’s IT infrastructure, but rather its ERM process.
Home Depot’s risks may have been inevitable, but they were also known. As early as 2008, employees warned management of a range of cyber-security threats. The company was working with an “outdated Symantec antivirus software,” and “did not continuously monitor the network for unusual behavior.”
Blaming the IT team for not prioritizing a system upgrade isn’t digging deep enough into the problem. Hidden behind the out-of-date software and the sporadic monitoring procedures is a failure of Enterprise Risk Management. Home Depot’s front-line employees, often the most knowledgeable of a company’s risks, were unable to communicate their concerns to a level in the organization that could assess the cost/benefit decision. The solution to this – a solution that benefits every company, whether large or small – is the use of comprehensive business risk assessments. To get started, use this risk management template.
With hundreds, maybe thousands of processes relying on IT applications, where could the business case have come from to make the upgrade an easy and high-priority decision for management? Risk Assessments would have equipped management with the input of the most knowledgeable individuals as part of a formalized process (rather than a one-off, red flag situation that can leave employees feeling vulnerable). Assessments at this level can provide the business case for change even when the current system “met industry standards for protecting customer data.”
The Power of Risk Assessments
Especially in the field of IT Security, change is too rapid for organizations to be comfortable relying on standards, policies, and compliance to manage risk. ERM bridges the gap. By not reaching down to the front-lines, Home Depot’s management wasn’t in a position to take action on risk. A fully-implemented ERM program – supported with Risk Management Software and governance, risk and compliance tools– would have provided the company with a more connected risk picture, and more data to ensure the proper risk mitigation strategies were in place.