Scandals like the Hudson’s Bay data breach are 100% preventable. Vulnerabilities are known by front-line employees within the organization for more than 6 months and often for years prior to the scandal, but not by the right level or adjacent business area which can solve the problem. An ERM program supported by ERM software enables employees to identify and escalate the risks they see as subject matter experts to bridge issues across business silos and up through layers of management.
How many risk assessments use a common standard in your organization? The total number of risk assessments of some kind already being done is typically 40% of the total number of worldwide employees. If your organization is tracking less than this number, it means there is a gap that needs to be addressed. If these risk assessments are not standardized or use a common platform, that is the cause of the gap.
The solution is typically not about creating more assessments, but rather about identifying what ad hoc assessments are already taking place, standardizing them, and improving their quality. If they can all be on a common denominator through standardization with a risk register and quantified using standardized evaluation criteria, they can be compared across business silos and linked together to identify the true cause of issues. The other key contribution of an ERM system is then being able to link existing controls to these risks which carry the risk score so that monitoring of controls can be prioritized.
Robotic process automation within ERM systems can then trigger follow-up or escalation tasks, provide transparency across workflows as tasks are moved along from one person to another, and provide reporting and monitoring to generate automated reminders for follow-up tasks
From the description of the breach, this is what was missing from Hudson’s Bay risk management program to prevent password reuse and phishing identity impersonation that allowed the malware to get inside their organization and remain undetected for so long.
Studies show that patching habits can be divided into quarters: 25 percent of people patch within the first week; 25 percent patch within the first month; 25 percent patch after the first month; and 25 percent never apply the patch. The longer the wait, the greater the risk.