Risk Assessment

(Image source:
https://www.pinkelephantasia.com/know-risk-management/) 

Overview:
The risk of subscribing to Cin7 is similar to that of all SaaS (software as a service), in that all of our data (inventory, financials, supplier and customer information, etc.) will all be stored in the public cloud.  While it is WANT NOT: Farm to Health’s information, technically we do not own the computers and servers that information is owned on.  Depending on how our contract is written, we could be prevented from accessing our information or there could be issues with sharing of proprietary information, or, WANT NOT is simply reliant on Cin7 to update and maintain their systems so they will always be available and not susceptible to hacking incidents or power outages (Austin, Nolan, & O’Donnell, 2016).  Moreover, we are reliant on Cin7’s technical expertise and knowledge of emerging technologies and capabilities to ensure our system remains efficient and effective.  Since WANT NOT is not in a highly regulated industry, such as banking, we probably would not have to consider a public-private cloud environment (Kaplan, Rezek, & Sprague, 2013).

Potential Privacy Issues:
In the event of a data breach, external or internal, WANT NOT: Farm to Health’s employees, farmers, and customers could all have information at risk.

Employees most likely would have the most to lose in terms of personal data, as WANT NOT would have records with their addresses, bank accounts, social security numbers, and possibly dependents as necessary information for payment.  If this information is compromised, this could cause grave threats to the employee’s financial viability and possibly physical safety.

Farmers, depending on how their businesses are structured (for example, if it is an LLC, single ownership, partnership), could have some of their financial information at risk, since WANT NOT does pay farmers for their goods.  However, the information stored probably would only be related to bank accounts and business addresses.

Customers, which for WANT NOT are local healthcare providers, since they are only coming into the system to order and purchase produce, the privacy issues would also be related to banking, but would potentially have less of an impact than farmers or employees since the healthcare providers are part broader corporations.

Potential Security Issues:

Research indicates that the greatest threat to security is often the employees of the company, due a lack of knowledge about, or adherence to policies that prevent, security risks (Upton and Creese, 2017). A company culture that does not engender knowledge and policy adherence to security measures is the main cause of employee security risk (Prokesch, 2014; Winnefeld, 2015). At WANT NOT: Farm to Health, we will strive to be a company with a strong culture around security, which is why we choose Cin7. However, the use of Cin7 is not without security risks. The company maintains daily backups of client data stored on servers, with the copies taken off-site. Additionally, Cin7 minimizes server downtime against hardware failure by configuring web servers in clusters: “if one computer fails another computer will take its place”. Cin7 also has both UPS and generator backups in case of power failure (Cin7, 2017). Yet even with these systems in place the risks of intrusive malware causing problems such as distributed denial of service (DDoS) attacks, and spam and phishing, still exist. Botnets, often responsible for such attacks, control more computing power than the world’s fastest supercomputers (Gallaugher, 2016). However, maintaining and adhering to strong security policies should make the probability of such attacks quite low (Prokesch, 2014; Winnefeld, 2015). Additionally, since Cin7 is not an open-source software, the threat of attacks such as Heartbleed are negligible (Gallaugher, 2016). The table below represents the probability and risk of security issues that may be present when WANT NOT: Farm to Health begins using Cin7.

              ↓ Priority/Impact  →

High	High	Low
	Employee error (Prokesch, 2014; Winnefeld, 2015) Phishing (Gallaugher, 2016) Poor passwords/ company culture and policies not devoted to security (Gallaugher, 2016; Upton and Creese, 2017) Network threat/ company culture and policies not devoted to security (Gallaugher, 2016; Upton and Creese, 2017)
Low	Significant degradation of services (Cin7, 2017) Malware incursion, “worms”, DDoS attacks, “black hat” hacking (Gallaugher, 2016) Vulnerability in open-source software (Gallaugher, 2016) Physical threats- complete outage resulting from power outage, generator and USP failure (Cin7, 2017; Gallaugher, 2016)	Small or limited service degradation (Cin7, 2017)

Ricks Vs. Benefits

The risks in relation to benefits are a relatively simple comparison for our firm, WANT NOT: Farm to Health and the potential use of Cin7. Because it is a start-up enterprise, any infrastructure will be stronger than building a low-tech, non-expert led system in-house. Of course, we should plan for the potential security breaches as outlined above. However, if we were to propose a different system, let’s say outside of software, we could run into similar problems. As previously mentioned, we will be storing sensitive customer data such as payment information and order information. Previous to software systems, analog ledgers and paper files stored this data. According to the Data Security Law Blog written by firm Patterson Belknap, there are many examples of large corporations exposing customer information due to improper file storage (Reilly 2016). For example, the Safeway, Inc. grocery company took the state of California to court after improper handling of paper files regarding customer purchasing information (Reilly 2016). As CRM (customer relationship management) increasingly happens digitally, it is important that we work with Cin7 to properly manage our accounts and set up security structures to protect their information. As we’ve seen by evaluating CIn7, the estimated benefits of tracking customer orders and interactions are invaluable to providing superior service and launching a successful business.

References:
Austin, R. D., Nolan, R. L., & O’Donnell, S. (2016). The adventures of an IT leader (2nd ed.). Boston, MA: Harvard Business Review Press.

Gallaugher, J. (July, 2016). Information Systems: A Manager’s Guide to Harnessing Technology, Vol.5. Flatworld.

Hosting, security and support. (2017). Cin7. Retrieved from https://www.cin7.com/hosting-security-and-support/

Kaplan, J., Rezek, C., & Sprague, K. (2013, January). Protecting information in the cloud. Retrieved November 3, 2017, from https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/protecting-information-in-the-cloud

Prokesch, S. (20 August 2014). I was a cyberthreat to my company. Are you? Harvard BusinessReview. Retrieved from https://hbr.org/2014/08/i-was-a-cyberthreat-to-my-company-are-you

Reilly, H. (2016). The Paper Trail: The Potential Data Breach Sitting in Your Printer. Data Secuirty Law Blog. Retrieved November 2017 from: https://www.pbwt.com/data-security-law-blog/paper-trail-potential-data-breach-sitting-printer.

Upton, D. and Creese, S. (2017). Are you a cyberthreat to your organization? Harvard Business Review. Retrieved from https://hbr.org/web/assessment/2014/08/are-you-a-cyberthreat-to-your-organization

Winnefeld, J. et al (7 October 2015). Defending your networks: lessons from the Pentagon. Harvardbusiness Review. Retrieved from https://hbr.org/webinar/2015/10/defending-your-networks-lessons-from-the-pentagon