Q&A: Risky Business
Given the considerable number of high-profile and damaging security incidents that have taken place over recent years, it is amazing that industry leaders admit that they don’t have the proper systems in place to help ensure that their IT systems are secure from the increasing threat of hackers and data breaches. According to a poll released today by accounting and business advisory firm ParenteBeard, one in five executives the manufacturing, distribution and technology industries feel that they are “behind the curve” when it comes to managing IT risks.
Jeff Krull, and Jeff Vrabel of ParenteBeard recently spoke with Manufacturing Business Technology about managing IT risk, how some companies are falling short, and what companies need to do to protect themselves.
MBT: How much of a concern is managing IT risks for manufacturers?
Krull: I view it as a fairly big risk for a lot of manufacturers today. Most companies seem to fall into one of two camps. Either they are still running really old legacy manufacturing –type systems that have been strung together forever and are near end of life, but their maybe all sorts of security vulnerabilities there that have never been addressed because there are technologies that just aren’t current anymore. The other side of the camp seems to be companies that have gone to more up-to-date ERP systems. As companies have tried to look hard at cost, I think there’s a risk that people really haven’t kept up to speed with all the security enhancements in newer technology that may help keep issues from arising.
Vrabel: The knowledge that they have that might give them a competitive advantage, such as the products they sell or manufacture, for example. You have to keep that secure. From a customer standpoint, they are interested in how secure the information is. Information is being exchanged electronically. There are a lot of things for manufacturers to be thinking about, from their own competitive standpoint, from a customer standpoint, and from their own employees’ standpoint. You have to make sure their information in secure and there isn’t a breach of some of that confidential personnel information.
Krull: You see a lot of foreign hacking attempts. I definitely think there is a risk if you are a manufacturer, especially if you are doing unique design specs for people or are doing unique products. With so much cross-border hacking, you really run the risk that there is somebody in another country that wants to steal the idea.
MBT: What do you think are some of the things that are holding some of these companies back? Obviously there are companies out there that have the IT infrastructure and proper measures in place to deal with these risks. They do an excellent job with security and protecting their data. However, some are falling short. Why?
Krull: In my mind a lot of it is in IT governance. You run into different attitudes and perspectives. Companies that view IT governance as very important take their IT risk assessment properties seriously and candidly have a process like an IT internal audit function to be checking that the right things are happening tend to be more secure. Companies that don’t have that governance and risk management processes around IT, don’t have an IT internal audit shop and things like that, tend to seem to lag a little.
Vrabel: It’s a corporate mindset in terms of how it’s being viewed. The information technology is pervasive throughout all of the operations of a company. The question is how secure do they want it to be? There’s a continuum there of where it could fall.
Krull: It is interesting, when you do some deep dives on companies that have had breaches and have had security incidents. To some extent, some of those things are the luck of the draw. A lot of times when you go do those deep dives, the core root cause is not “The setting was set to X instead of Y.” There’s usually a people process issue involved somewhere along the way. It’s usually not the technology setting that gets people in trouble. It’s the process around it.
MBT: Technology has changed immensely over the course of the past several years. Has that played a role in security concerns for some companies? If so, why?
Krull: I think so, because I believe more and more companies. Nobody starts a process today and says “Hey, let me do all of this on paper.” Almost everyone asks “How can I automate it?” With that automation, which can add tremendous efficiency, also comes that risk. If you don’t do it right and secure it right, you are increasing risk.
MBT: Companies that are behind the curve, do you feel they recognize this is a problem? Do they not know how to go about addressing the risks?
Krull: I think most companies recognize there is a level of IT risk out there. I think many companies struggle with how to quantify and manage that risk and look at it in the way that’s in the context of all of their business risks. Most executives know there is something out there with IT. I think it’s a matter of not knowing what the next step is in terms of what to do about it. Thinking about it holistically, we do run into organizations that sort of embrace patchwork security. They sort of chase the latest security flaw or issue they saw. You have to take a step back and really think about your security posture.
Vrabel: You also have to know the location of all the information. They may just focus on the main system and doing it through Excel spreadsheets, for example. They need to make sure where all that data is going and where it’s all being stored. Then they have to secure those locations. It can be passed on through marketing, HR, through other places that they may not have thought about.
MBT: What are some of the specific things companies are doing to protect themselves?
Krull: In my mind, the better companies have a mature IT risk assessment process that ties into the company’s enterprise risk management process I think is a piece of that. They actually monitor and test compliance with all their policies and procedures. They have that IT internal audit, or they have someone do it for them. I think they also tend to be the companies that invite IT leadership to executive-level meetings. It’s pretty surprising how man companies don’t do that.
ParenteBeard is ranked among the top 25 accounting firms in the U.S. The company is a leader in providing CPA and business advisory services to small businesses, middle market companies, nonprofits, and SEC registrants.
Visit www.parentebeard.com to learn more.