Risk Assessment
(Image source: https://www.pinkelephantasia.com/know-risk-management/) |
Overview:
The risk of subscribing to Cin7 is similar to that of all SaaS (software as a service), in that all of our data (inventory, financials, supplier and customer information, etc.) will all be stored in the public cloud. While it is WANT NOT: Farm to Health’s information, technically we do not own the computers and servers that information is owned on. Depending on how our contract is written, we could be prevented from accessing our information or there could be issues with sharing of proprietary information, or, WANT NOT is simply reliant on Cin7 to update and maintain their systems so they will always be available and not susceptible to hacking incidents or power outages (Austin, Nolan, & O’Donnell, 2016). Moreover, we are reliant on Cin7’s technical expertise and knowledge of emerging technologies and capabilities to ensure our system remains efficient and effective. Since WANT NOT is not in a highly regulated industry, such as banking, we probably would not have to consider a public-private cloud environment (Kaplan, Rezek, & Sprague, 2013).
Potential Privacy Issues:
In the event of a data breach, external or internal, WANT NOT: Farm to Health’s employees, farmers, and customers could all have information at risk.
Employees most likely would have the most to lose in terms
of personal data, as WANT NOT would have records with their addresses, bank
accounts, social security numbers, and possibly dependents as necessary
information for payment. If this information is compromised, this could
cause grave threats to the employee’s financial viability and possibly physical
safety.
Farmers, depending on how their businesses are structured
(for example, if it is an LLC, single ownership, partnership), could have some
of their financial information at risk, since WANT NOT does pay farmers for
their goods. However, the information stored probably would only be
related to bank accounts and business addresses.
Customers, which for WANT NOT are local healthcare
providers, since they are only coming into the system to order and purchase
produce, the privacy issues would also be related to banking, but would
potentially have less of an impact than farmers or employees since the
healthcare providers are part broader corporations.
Potential Security Issues:
Research indicates that the greatest threat to security is
often the employees of the company, due a lack of knowledge about, or adherence
to policies that prevent, security risks (Upton and Creese, 2017). A company
culture that does not engender knowledge and policy adherence to security
measures is the main cause of employee security risk (Prokesch, 2014;
Winnefeld, 2015). At WANT NOT: Farm to Health, we will strive to be a company
with a strong culture around security, which is why we choose Cin7. However,
the use of Cin7 is not without security risks. The company maintains daily
backups of client data stored on servers, with the copies taken off-site.
Additionally, Cin7 minimizes server downtime against hardware failure by
configuring web servers in clusters: “if one computer fails another computer
will take its place”. Cin7 also has both UPS and generator backups in case of
power failure (Cin7, 2017). Yet even with these systems in place the risks of
intrusive malware causing problems such as distributed denial of service (DDoS)
attacks, and spam and phishing, still exist. Botnets, often responsible for
such attacks, control more computing power than the world’s fastest
supercomputers (Gallaugher, 2016). However, maintaining and adhering to strong
security policies should make the probability of such attacks quite low
(Prokesch, 2014; Winnefeld, 2015). Additionally, since Cin7 is not an
open-source software, the threat of attacks such as Heartbleed are negligible
(Gallaugher, 2016). The table below represents the probability and risk of
security issues that may be present when WANT NOT: Farm to Health begins using
Cin7.
Ricks Vs. Benefits
↓ Priority/Impact →
High
|
High
|
Low
|
| ||
Low
|
|
|
Ricks Vs. Benefits
The risks in relation to benefits are a relatively simple comparison for our
firm, WANT NOT: Farm to Health and the potential use of Cin7. Because it is a
start-up enterprise, any infrastructure will be stronger than building a
low-tech, non-expert led system in-house. Of course, we should plan for the
potential security breaches as outlined above. However, if we were to propose a
different system, let’s say outside of software, we could run into similar
problems. As previously mentioned, we will be storing sensitive customer data
such as payment information and order information. Previous to software
systems, analog ledgers and paper files stored this data. According to the Data Security
Law Blog written by firm Patterson Belknap, there are many examples
of large corporations exposing customer information due to improper file
storage (Reilly 2016). For example, the Safeway, Inc. grocery company took the
state of California to court after improper handling of paper files regarding
customer purchasing information (Reilly 2016). As CRM (customer relationship
management) increasingly happens digitally, it is important that we work with
Cin7 to properly manage our accounts and set up security structures to protect
their information. As we’ve seen by evaluating CIn7, the estimated benefits of
tracking customer orders and interactions are invaluable to providing superior
service and launching a successful business.
References:
Austin, R. D., Nolan, R. L., & O’Donnell, S. (2016). The adventures of an IT leader (2nd ed.). Boston, MA: Harvard Business Review Press.
Gallaugher, J. (July, 2016). Information Systems: A Manager’s Guide to Harnessing Technology, Vol.5. Flatworld. Austin, R. D., Nolan, R. L., & O’Donnell, S. (2016). The adventures of an IT leader (2nd ed.). Boston, MA: Harvard Business Review Press.
Hosting, security and support. (2017). Cin7. Retrieved from https://www.cin7.com/hosting-security-and-support/
Kaplan, J., Rezek, C., & Sprague, K. (2013, January). Protecting information in the cloud. Retrieved November 3, 2017, from https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/protecting-information-in-the-cloud
Prokesch, S. (20 August 2014). I was a cyberthreat to my company. Are you? Harvard BusinessReview. Retrieved from https://hbr.org/2014/08/i-was-a-cyberthreat-to-my-company-are-you
Reilly, H. (2016). The Paper Trail: The Potential Data Breach Sitting in Your Printer. Data Secuirty Law Blog. Retrieved November 2017 from: https://www.pbwt.com/data-security-law-blog/paper-trail-potential-data-breach-sitting-printer.
Upton, D. and Creese, S. (2017). Are you a cyberthreat to your organization? Harvard Business Review. Retrieved from https://hbr.org/web/assessment/2014/08/are-you-a-cyberthreat-to-your-organization
Winnefeld, J. et al (7 October 2015). Defending your networks: lessons from the Pentagon. Harvardbusiness Review. Retrieved from https://hbr.org/webinar/2015/10/defending-your-networks-lessons-from-the-pentagon
Comments
Post a Comment