How to assess risk for emerging technologies – before you use them
Artificial intelligence (AI), machine learning (ML), robotic process automation (RPA), the Internet of Things (IoT), blockchain, and “connected” buildings have become the darlings of the emerging technology world. Eager to work smarter, faster, and more efficiently in their competitive business segments, organizations are adopting these technologies at an increasingly rapid pace.
Credit the global coronavirus pandemic with driving some of this momentum. Forced to send their workforces home to keep them safe, organizations quickly transitioned to more cloud-based technology and, with it, more advanced technologies like AI, ML, and IoT.
Other organizations are deploying more connected technology within their four walls, including automation of tasks and processes, such as assistance in the fulfillment picking process on a warehouse floor, accounts payable processing, or security incident response, or AI-enabled chatbots that can manage customer service inquiries without human intervention.
What many organizations don’t realize is that each addition of an emerging technology to their environment can put their organization at greater risk of a cyberattack. Or, when the emerging technology is implemented too hastily – or without a sound acquisition or development process – it can open the organization up to increased operational, financial, and financial reporting risk.
To help manage the risks that come with using these emerging technologies, develop an emerging technology risk strategy that keeps these three points in mind:
1) Address emerging technology risks up front. Companies need an understanding of, and a strategy to address, the risks before they implement emerging technologies. This strategy should include governance of the design and implementation methodology as well as operations across the full life cycle of the new technology. RPA is a good example of the need for governance since prior to design it can be considered a blank slate. Organizations should be sure the strategy around how solutions such as RPA are being implemented across the enterprise supports enterprise-wide business objectives related to the completeness and accuracy of processing and data, information security, financial goals, and compliance with privacy laws and other regulations.
2) Data collection is the Achilles’ heel. The more valuable information that is stored in any one system, the more likely it will become a target for cyberattack. For instance, building owners are increasing investments in connected building systems to help improve the tenant experience, but many of them are not fully aware of the degree to which those systems use technologies like artificial intelligence and machine learning to collect volumes of personal data about renters, lessees, service providers, and even visitors. The first step to protecting against an attack is knowing exactly what data your new systems will be collecting and where that data will be stored. From there, you can implement a cybersecurity strategy that prioritizes resources for its protection. You may not want to protect all the information equally, but you can implement stronger protections for more critical systems and data and then cascade downward for the less critical.
3) Don’t forget about your third-party partners. With more organizations using emerging technology in their operations, it’s not just your own hardware, software, and networks that you need to be worried about; it’s your providers’ and vendors’, too. You should be sure that your agreements, processes, and policies detail how you assess the risks of new technologies across the board. Make sure your vendor risk management program includes thorough vetting of third-party providers’ use of emerging technology, their practices associated with the implementation of the technology, and how they will be using the technology. For instance, companies should understand if their vendor’s new platform will be processing protected or sensitive information or storing this information. Establish periodic checkpoints (don’t just set it and forget it) so you can stay in front of risks and address any potential issues quickly and effectively. The measures taken should be commensurate with your risk appetite, not the third party’s standards.
Assessing emerging technologies’ risks before incorporating the technology into your environment and business operations will help keep your organization from ending up on the wrong side of a multi-million-dollar breach, and help you avoid financial reporting issues and disclosures and operational disruption and inefficiencies. The more technology evolves and disrupts, and the more organizations adopt it for its benefits, the more risks will emerge. If you have implemented emerging technology but have not yet taken appropriate measures to mitigate and govern risk, the time to make your move is now.
InsightVirginia’s new privacy law offers a preview into the future of privacy and complianceBhavesh Vadhani, Deborah NitkaRead how the new data privacy legislation compares with the CCPA and GDPR, what affected companies should do moving forward, and more.
InsightSupport rapid delivery of secure software with DevSecOpsBhavesh Vadhani, Thomas McDermott, Tauseef ShaikhThe DevSecOps software development model has security built into all phases of its lifecycle, which can help reduce flaws and the costs of fixing them. Learn more.
InsightSolarWinds breach underscores the need for monitoring third parties’ securityBhavesh Vadhani, Deborah NitkaThe malware attack on software provider SolarWinds shows that companies must understand their supply-chain risks – and their own business environment. Learn more.
InsightUsing cybersecurity lessons learned from COVID-19 to advance your remote-work programBhavesh Vadhani, Ali Khraibani, Kiran BhujleRead about steps to take with regard to training, frameworks, protecting against phishing, and more amid the extra security challenges brought by the pandemic.
InsightStart preparing now to earn points on GSA’s Polaris contract opportunityJeff Shapiro, Bhavesh VadhaniLearn what self-assessments, certifications, and other potential requirements to consider now for this upcoming IT services government contracting opportunity.