How to assess risk for emerging technologies – before you use them
Artificial intelligence (AI), machine learning (ML), robotic process automation (RPA), the Internet of Things (IoT), blockchain, and “connected” buildings have become the darlings of the emerging technology world. Eager to work smarter, faster, and more efficiently in their competitive business segments, organizations are adopting these technologies at an increasingly rapid pace.
Credit the global coronavirus pandemic with driving some of this momentum. Forced to send their workforces home to keep them safe, organizations quickly transitioned to more cloud-based technology and, with it, more advanced technologies like AI, ML, and IoT.
Other organizations are deploying more connected technology within their four walls, including automation of tasks and processes, such as assistance in the fulfillment picking process on a warehouse floor, accounts payable processing, or security incident response, or AI-enabled chatbots that can manage customer service inquiries without human intervention.
What many organizations don’t realize is that each addition of an emerging technology to their environment can put their organization at greater risk of a cyberattack. Or, when the emerging technology is implemented too hastily – or without a sound acquisition or development process – it can open the organization up to increased operational, financial, and financial reporting risk.
To help manage the risks that come with using these emerging technologies, develop an emerging technology risk strategy that keeps these three points in mind:
1) Address emerging technology risks up front. Companies need an understanding of, and a strategy to address, the risks before they implement emerging technologies. This strategy should include governance of the design and implementation methodology as well as operations across the full life cycle of the new technology. RPA is a good example of the need for governance since prior to design it can be considered a blank slate. Organizations should be sure the strategy around how solutions such as RPA are being implemented across the enterprise supports enterprise-wide business objectives related to the completeness and accuracy of processing and data, information security, financial goals, and compliance with privacy laws and other regulations.
2) Data collection is the Achilles’ heel. The more valuable information that is stored in any one system, the more likely it will become a target for cyberattack. For instance, building owners are increasing investments in connected building systems to help improve the tenant experience, but many of them are not fully aware of the degree to which those systems use technologies like artificial intelligence and machine learning to collect volumes of personal data about renters, lessees, service providers, and even visitors. The first step to protecting against an attack is knowing exactly what data your new systems will be collecting and where that data will be stored. From there, you can implement a cybersecurity strategy that prioritizes resources for its protection. You may not want to protect all the information equally, but you can implement stronger protections for more critical systems and data and then cascade downward for the less critical.
3) Don’t forget about your third-party partners. With more organizations using emerging technology in their operations, it’s not just your own hardware, software, and networks that you need to be worried about; it’s your providers’ and vendors’, too. You should be sure that your agreements, processes, and policies detail how you assess the risks of new technologies across the board. Make sure your vendor risk management program includes thorough vetting of third-party providers’ use of emerging technology, their practices associated with the implementation of the technology, and how they will be using the technology. For instance, companies should understand if their vendor’s new platform will be processing protected or sensitive information or storing this information. Establish periodic checkpoints (don’t just set it and forget it) so you can stay in front of risks and address any potential issues quickly and effectively. The measures taken should be commensurate with your risk appetite, not the third party’s standards.
Assessing emerging technologies’ risks before incorporating the technology into your environment and business operations will help keep your organization from ending up on the wrong side of a multi-million-dollar breach, and help you avoid financial reporting issues and disclosures and operational disruption and inefficiencies. The more technology evolves and disrupts, and the more organizations adopt it for its benefits, the more risks will emerge. If you have implemented emerging technology but have not yet taken appropriate measures to mitigate and govern risk, the time to make your move is now.
Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy
Thomas McDermott, Director, Cybersecurity, Technology Risk, and Privacy
Press ReleaseSun joins CohnReznick as Principal, CybersecurityDavid Sun leads CohnReznick’s security incident response and recovery; computer forensic and litigation support; and cloud security services.
InsightUnderstanding Zero TrustBhavesh Vadhani, Adonye ChamberlainRead about the evolution of this cybersecurity paradigm, why it is increasingly necessary, and how to get started on its implementation.
InsightBe on guard for phishing attacks amid bank collapsesBhavesh VadhaniAs scammers take advantage of the chaos caused by the Silicon Valley Bank and Signature Bank turmoil, keep these key security principles top of mind.
InsightProposed regulatory changes increase board responsibility for cybersecurity programsScott Corzine, Bhavesh VadhaniProposed regulations may increase the responsibility of corporate board directors with cybersecurity programs. Learn more.
Press ReleaseCohnReznick adds two senior leaders to growing Cybersecurity, Technology Risk, and Privacy practiceScott Corzine, Managing Director, and Stephen P. Gilmer, Director, have joined CohnReznick's Cybersecurity, Technology Risk and Privacy practice, bringing extensive experience in cybersecurity risk, risk management, compliance, and operational impact.