Some Thoughts on Risk Management

Risk management for computer systems is the process of identifying and minimizing the impact of random events on your business assets, continuity of operations, and documentation. The term 'random events' could refer to a man-made action, an equipment failure, or some other action caused by a force of nature.

In the process of managing your business, you have undoubtedly managed certain risks already by obtaining insurance for the effects of a fire or windstorm on your building, the liability issues surrounding having visitors on your premises, and so on. This document was made for the purpose of alerting you to other significant risks that most businesses have that you may not have considered already.

Businesses that use computer systems (which is now the overwhelming majority) have additional, new risks that may not be addressed or addressable though traditional insurance. Your business data is an asset that is vital to the well being of your company, but it may not be adequately safeguarded. New, ever-changing malady's like computer viruses and employee sabotage and/or theft may hamper your on-going operations and put you at a competitive disadvantage if your systems were out of commission for even a small time period.

Meson Digital can help you reduce your exposure to such risks and position your company such that you can recover from a significant event in a short period of time with minimal disruption. Allow us to list some of the ways in which you may exposed that we can improve upon:

• Establishing a reliable and predictable data backup regimen. Many businesses do backups infrequently, if at all, and leave all copies of this data on-site. We can evaluate and improve upon your backup regimen such that you have current data stored in more than one location in the event that a fire, etc. destroys your building along with all copies of your data. Many small businesses that take the extra step to move their data off-site do so in a way that may violate many of the new federal regulations such as HIPPA, et. al.. We can help you improve on this risk also.

• Unauthorized or easy access to corporate data. Many cases of disgruntled employees taking company data or business secrets vital to one's competitive advantage have been documented in the press in recent years. We are familiar with local cases of employees taking business records with them and starting a competing business, much to chagrin of their former employer. Can anyone in your organization plug a USB memory stick into their computer and download data? We can help evaluate and mitigate the risks in this area also.

• Unrestricted access to local computer and network resources. A computer virus or unauthorized program loaded onto an employee's computer may bring your entire computer network down, or expose your sensitive records to data and identity theft by outsiders. Sometimes one can leave a computer vulnerable by simply viewing a picture or surfing to a compromised web site. Some common countermeasures involve purchasing additional hardware or software, and other times this involves preventing your employees from loading software, accessing restricted data, and using standard items such as USB memory sticks on your business system. We can help in this area also, by locking down your computers and installing anti virus software, software and security patches, creating strict user profiles, etc. on your network computers.

• Unrestricted Internet access. Viewing unauthorized web sites could leave you exposed to harassment suits if these sites are deemed offensive by a given segment of the population. We can set your system up to limit the sites that are accessible to your employees, and we can make this access granular so that certain employee's have access to different sites.

• Infrastructure programming and configuration details. Depending on the size of your business, you may have computers that are very important to your operations, but are seldom included in any disaster planning. If you have a phone switch in your building, are the hours of programming that went into its configuration backed up, including all of the incremental changes made over time? What about the HVAC controller in the utility room that automatically adjusts the temperature and humidity to a preset schedule during the year? Do these contractors offer a discount on service calls if they can update these programs over the Internet? Call us to inquire about handling these details.

• Point of sale and inventory control equipment. Do you use current, dated or obsolete point of sale cash registers, bar code scanners and printers, RFID tracking equipment, etc.? Where would you find the software drivers for this equipment? What about tying new equipment into a system that uses dated software or an older operating system such as Windows 95 or DOS? In many cases, one can't go out and simply buy a new computer that will run your legacy equipment that you depend on in your day-to-day business activities. There are a number of “gotcha's” like this that can make your life miserable in the event of a disaster or simple equipment failure. Call us to help you be proactive about these types of risks and omissions. After all, it's easy for an office supply or computer outfit to tell you that you need all new equipment, even though most of your existing equipment is still perfectly functional. Call us for an opinion that you can trust.

• Custom programs that are unique to your business. Some companies depend on custom software that is unique to their industry or was written exclusively for them. Many times we see cases where this software is tied to a certain underlying software package or database, which itself is tied to a certain operating system, which is unavailable and difficult to find all of the software modules for if you were to try to load it on a new computer. Would you want to waste the time working with various software companies and/or individual programmers to try to reload / update / or convert old databases into a new format while you are under duress due to the recent disaster? Do you want to develop a solid contingency plan so that any business software changes are handled in an orderly fashion rather than under emergency conditions? Call us – we've already done it for other clients just like you.

These are but a few examples of how your business may be vulnerable to common computer 'disasters' and also of how we can help you minimize said risks. We also have a great deal of experience in helping business owners recover from a disaster quickly and economically.

To get a feel for how much is at stake with this type of risk, consider how much you have come to rely on your existing computer network. Let's quickly review some of the exposure you might have to information loss or business disruption due to an outage. The valuable information stored in your computer system may include:

• Vision or Mission Statements

• Strategic Plans or Operational Concepts

• Business Processes

• Business and Tax Records / Correspondence

• Corporate Databases

• Sales and Customer Relations Data

• Insurance and Employee Health Records

• Inventory Information and Records

• Trade Secrets and other Intellectual Property

Other factors that should weigh into a computer business disruption risk analysis include:

• The loss of 'Goodwill' on the part of your customers who no longer trust you to keep their information safe and secure

• Embarrassment to the organization.

• Financial impact of the loss of confidentiality of the information.

• Legal impact of data or loss of confidentiality.

• Pricing the loss of availability of the information for the duration of the outage until you a fully recovered.

As one can see, there is a substantial amount of risk to be managed with the computer system that you depend on for your daily business activities.

Don't forget to also consider what you would do during the interim period while your new equipment is on order, or while you operate out of a temporary location. Does your current vendor have systems and equipment available for use at short notice?

Please do not hesitate to contact us to discuss any of these, or any other, computer network or system administration concerns that you may have at 219-226-1870. Please visit our website for further information at www.mesondigital.com.

Disclaimer: These observations should not be construed as advice or recommendations for any generic or specific situation(s). Please consult with an experienced computer professional rather than relying on observations made in this document when determining your specific needs and responses.