Risk Management – The Personal Dimension


As we recruit and develop our people do we place enough emphasis on having people who have the values our enterprise need to flourish and reward our stakeholders this year, next year and into the future? Moreover. Do we provide them with the incentives that will promote alignment of their behavior with the needs of the developing Enterprise.

Turning to a tactical example – the risk of security issues in an enterprise – even after perhaps major investments in state of the art IT security. Forrester has revealed that most data breaches are caused by internal problems such as employees losing, having stolen or “simply unwittingly” misusing corporate assets. After questioned over 7,000 IT executives across North America and Europe Forrester identified the following causes of data breaches:

  •  Simple loss or theft – 31%
  • Inadvertent misuse by an employee – 27%
  • External attack – 25%
  • Malicious insiders – 12%
  • Other – 5%

“Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” said the authors of the report.

Hopefully most enterprises now have policies and training in place to promote good personal security practices; however, on the basis of an adhoc survey conducted over the last week it appears that top Enterprise Management / Directors have, at best, limited information about such information security incidents.  My proposition is that Directors should sponsor a review of the information security risks in their organisation and ensure:

  1. incidents are captured and reported – not least so that trends can be identified and addressed
  2. appropriate policies are in place – including background checks on new and existing staff
  3. individuals are given appropriate training on security preferred practices when they join and then periodically
  4. that working practices reinforce good behavour and provide safeguards wherever possible – for example provide staff with encrypted memory sticks if data is downloaded from enterprise computers
  5. in addition to considering disciplinary action when security breeches occur, feed the details into an Operational Effectiveness assessment during personal appraisals.



Comments are closed.