What happens if your systems are down for several days and you must shut down your production?

Why should an SME care about risk management in ICT?

Everyone is involved in risk management – whether you're hiring someone, signing a deal, or considering new markets.

Most companies in Norway have undergone an insanely fast digitalisation in recent years. For most, this has been positive: more flexibility for employees, more effective digital meetings and better measurement of productivity. However, the introduction of this technology has also brought a new type of threat to SMEs: ICT risk.

Imagine this: What happens if your systems are down for several days? Or if someone hacks in and steals your customer information? Or worse, what if sensitive data about your employees leaks out?

But what is ICT risk? According to NSM (Nasjonal Sikkerhetsmydighet), "Any threat, vulnerability, scenario or other undesirable incident that may compromise the integrity, availability and/or confidentiality of the ICT system poses a risk".

To put it simply, it is that risk associated with misuse, alteration or loss of data that has possible negative consequences for an organisation.

Once you understand the consequences of these risks, you also understand that some digital risks can lead to critical financial consequences for a company and, in the worst case, bankruptcy. So, what is the solution? A thorough risk assessment.

According to NSM, the goal of a risk assessment is "to uncover relevant vulnerabilities and threats to the company's ICT systems." Good risk assessments therefore increase the resilience of enterprises by contributing to better resilience to undesirable incidents.

Where to start?

Well, where it hurts the most. In other words, critical systems that a company depends on to deliver its services and pay its suppliers. We call this an "overall risk assessment". Here you can use different methods or templates. In Diri, we use a model called the BowTie. This is the same standard as NSM recommends, namely NS5814. The advantage of this model is that risk is visualised in different components: undesirable incidents, the reasons why an incident can occur and the consequences of this. Furthermore, it is easier to identify good measures both to reduce the chance of an incident occurring and to reduce the probability and extent of the consequences.

Example of BowTie.

How do I know if I have good initiatives?

It is in this phase that frameworks such as NSM's basic principles and ISO 27001 come in handy. These frameworks recommend a range of measures based on best practices. For example, if you use NSM's basic principles, you have a good starting point for being adequately secured – according to Microsoft, basic security hygiene protects against 98% of attacks.

But there are several benefits of having established good security management in the enterprise:

Protection of assets: Reduces the risk of data theft and breach of privacy and secures sensitive data and trade secrets against unauthorised access and loss.

Cost savings: Early identification and management of risks help avoid costly security breaches and reduce investigative and court costs.

Reputation management: Signals seriousness around data security, builds trust among customers and partners, and strengthens your company's reputation in an increasingly competitive market.

Compliance: Helps meet industry and legal obligations to help your business avoid fines, lawsuits and negative consequences of non-compliance.

Efficient use of resources: Optimizes resource allocation by prioritising resources to the most critical security areas, increasing ROI for security investments and providing better decision-making for management.

So, the next time the question "Where do I start?" comes up, remember that the logical place to start is to do a risk assessment. It will be a good foundation for how to prioritise and how much money/work it will take to be "secure enough".

Cyber Security
Risk Assessment