We’ve all heard stories about customer and sensitive information breaches, which stem anywhere from hacked databases to stolen laptops to web exposures to employee theft. In such instances, we think to ourselves: “How did they let that happen?"
Any security professional will tell you that a municipal or utility organization is inherently subject to a number of risks. These risks can be organizational, process based, or application/technology related — and can impact customer trust, company reputation, potential business partners, employee confidence, and organizational management.
Protecting information, especially sensitive and confidential data, is an important component of the daily management of municipal and utility assets. A municipal entity can use a risk-based approach to help build a strategy for information management. In general, this approach will review the risks, identify the issues, and define risk management activities to ensure that risks are adequately addressed.
Most municipal entities focus on organization and process risks, such as segregation of duties, fraud, theft, and inaccurate financial reporting. In addition to these risks, it is crucial to consider application/technology-based risks. While every organization is different, some of the risks might include:
- External security breaches
- Service outages and interruptions
- System back up failures
- Web site content
- Customer service center penetration
- Debit/Credit card information theft
- Noncompliance with laws and regulations such as information security regulations
After reviewing possible risks, your organizations should define the impact and mitigation strategy. For example, viruses, spyware, trojans, and other malware could be defined as major risks to a municipal entity. Your organization may face system and network outages, confidential data exposure, customer information theft, and financial loss. Most commonly, a combination of non-technical and technical strategies are used to decrease risk. Non-technical strategies include annual employee awareness training that is available to all employees. Technical strategies include keeping current on all system patches.
In today's increasingly digital world, municipal entities of all sizes should expand their approach to risk management to include information management, especially customer and sensitive data. Identifying risks, understanding the impact of those risks, and building strategies to mitigate risk are important elements of an enterprise risk management plan. As your organization grows and changes to meet customer demands, advancements in technology and more options in an increasing electronic world, additional risks should be continually updated.