How to assess risk for emerging technologies – before you use them
Artificial intelligence (AI), machine learning (ML), robotic process automation (RPA), the Internet of Things (IoT), blockchain, and “connected” buildings have become the darlings of the emerging technology world. Eager to work smarter, faster, and more efficiently in their competitive business segments, organizations are adopting these technologies at an increasingly rapid pace.
Credit the global coronavirus pandemic with driving some of this momentum. Forced to send their workforces home to keep them safe, organizations quickly transitioned to more cloud-based technology and, with it, more advanced technologies like AI, ML, and IoT.
Other organizations are deploying more connected technology within their four walls, including automation of tasks and processes, such as assistance in the fulfillment picking process on a warehouse floor, accounts payable processing, or security incident response, or AI-enabled chatbots that can manage customer service inquiries without human intervention.
What many organizations don’t realize is that each addition of an emerging technology to their environment can put their organization at greater risk of a cyberattack. Or, when the emerging technology is implemented too hastily – or without a sound acquisition or development process – it can open the organization up to increased operational, financial, and financial reporting risk.
To help manage the risks that come with using these emerging technologies, develop an emerging technology risk strategy that keeps these three points in mind:
1) Address emerging technology risks up front. Companies need an understanding of, and a strategy to address, the risks before they implement emerging technologies. This strategy should include governance of the design and implementation methodology as well as operations across the full life cycle of the new technology. RPA is a good example of the need for governance since prior to design it can be considered a blank slate. Organizations should be sure the strategy around how solutions such as RPA are being implemented across the enterprise supports enterprise-wide business objectives related to the completeness and accuracy of processing and data, information security, financial goals, and compliance with privacy laws and other regulations.
2) Data collection is the Achilles’ heel. The more valuable information that is stored in any one system, the more likely it will become a target for cyberattack. For instance, building owners are increasing investments in connected building systems to help improve the tenant experience, but many of them are not fully aware of the degree to which those systems use technologies like artificial intelligence and machine learning to collect volumes of personal data about renters, lessees, service providers, and even visitors. The first step to protecting against an attack is knowing exactly what data your new systems will be collecting and where that data will be stored. From there, you can implement a cybersecurity strategy that prioritizes resources for its protection. You may not want to protect all the information equally, but you can implement stronger protections for more critical systems and data and then cascade downward for the less critical.
3) Don’t forget about your third-party partners. With more organizations using emerging technology in their operations, it’s not just your own hardware, software, and networks that you need to be worried about; it’s your providers’ and vendors’, too. You should be sure that your agreements, processes, and policies detail how you assess the risks of new technologies across the board. Make sure your vendor risk management program includes thorough vetting of third-party providers’ use of emerging technology, their practices associated with the implementation of the technology, and how they will be using the technology. For instance, companies should understand if their vendor’s new platform will be processing protected or sensitive information or storing this information. Establish periodic checkpoints (don’t just set it and forget it) so you can stay in front of risks and address any potential issues quickly and effectively. The measures taken should be commensurate with your risk appetite, not the third party’s standards.
Assessing emerging technologies’ risks before incorporating the technology into your environment and business operations will help keep your organization from ending up on the wrong side of a multi-million-dollar breach, and help you avoid financial reporting issues and disclosures and operational disruption and inefficiencies. The more technology evolves and disrupts, and the more organizations adopt it for its benefits, the more risks will emerge. If you have implemented emerging technology but have not yet taken appropriate measures to mitigate and govern risk, the time to make your move is now.
Press ReleaseCohnReznick earns CMMC Third-Party Assessment Organization AuthorizationThe C3PAO designation allows CohnReznick to assess Department of Defense contractors seeking CMMC compliance under the joint surveillance voluntary assessment program or as soon as the CMMC rule is finalized.
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.