Hands-up (not literally) all those who drive a car?
Did you know that on average – 1500 people are killed in car accidents and over 20,000 seriously injured in the UK every year due to car-related incidents? It probably doesn’t surprise you. The global figures are close to 1.2 million killed and between 20-50 million seriously injured.
That’s a cheery note to start with.
Those of us that drive a car know about the risks involved and when you take a look at the numbers and consider the likelihood and potential impact of having a car accident – it still doesn’t put us off.
That’s because we accept the risk due to the overriding necessity to use vehicles.
The potential impacts could be as represented in the graphic below. One end of the scale is a low level impact but the opposite end of the scale is the one we really want to avoid.
There are also 2 parts to this risk equation. You (the person or user) and the Car (or device). So when it comes to layering in risk mitigation techniques – we must consider both objects. And there are also some additional factors that we have to consider which apply to both.
Drivers (users) must take lessons and pass a test before they are safe to take the wheel. So user training and awareness is a key factor right from the very beginning. Certification in the form of a license, is also a factor and this needs to be updated on a regular basis. Users that don’t use acceptable behaviour or don’t use their vehicles properly are more likely to have accidents and so they will need to be retrained and occasionally disciplined if they continue to fall short of expectations.
Knowing how to use a vehicle on a road in the correct way, which signs the follow, the code of conduct, how to avoid making mistakes and what to do if things go wrong are all part of being a good driver. These admin and procedural controls help in mitigating the risk of having an accident.
Cars (devices) must be kept up to date and well maintained at all times. So regular checkups, updates and modifications to equipment, software and other components is essential. But this has to be done by an approved supplier and someone who is competent and trained to do so.
Most cars are also natively fitted with a host of safety features. Seatbelts and airbags are now a standard feature. But as technology has progressed the use of things such as cameras, sensors, monitoring devices and automatic management systems are regularly used. These may also be retro-fitted to older vehicles (but not all). Getting your car regularly serviced and updated is a great way to mitigate the risk of it failing or causing an incident.
Cars have become more reliable and resilient over the years but they still all need looking after and monitored.
Cars are also at risk of being stolen or tampered with when not being used or left in an unsafe condition or location. Physical controls in the form of keys and sensors keep them safe. Steering wheel locks deter criminals. New remote locking technologies require additional protective measures to keep them safe.
In addition to the technical, physical and procedural controls we put into place to keep our users and devices safe – we also have to abide by the rules.
Laws and regulations are in place to keep us safe. The reason for traffic laws and regulations is to ensure that we travel at safe speeds (according to the conditions of the road) and that we use the road networks and associated connections properly and safely. They are in place to protect – and everybody is mandated to remain compliant with them. If you don’t you will be sanctioned. They are legally binding.
Standards are set and maintained in order to achieve an agreed level of safety, compliance and best practice for key areas for users, devices and the networks they travel on. This includes the processes and management systems used to look after them.
Laws, regulations and standards are used to inform local policies. Policies are in place to ensure compliance with the mandatory requirements and to keep everybody aware and safe. These are reviewed and updated on a regular basis.
Standard practices and guidelines are set out to inform users how to use their devices and networks properly and in accordance with local requirements. This ‘highway code’ is not a legal document but sets out best practice and guides users to avoid contravening the all important laws and regulations. Generally, those that ignore or disregard the highway code will end up breaking a law or having an accident at some point.
Ethics are also an important part of staying safe and looking after each other. Road-rage ends up causing problems, discourteous drivers either hurt themselves or others by their actions and so we should all sign up to be respectful and understand that acceptable behaviours are important in keeping everyone safe. Out on the road this would be the Utopia but in an area that can be more closely controlled – like a private site – this may also be part of a local policy.
Another factor in mitigating risk is transferring it. So we use insurance companies who we pay to take on the risk of us having an incident whilst driving. The agreement and policy that you hold with them is very important and it is crucial that we read the small print and make sure that we get the right level of cover for what we use the devices for and how we expect to use them. The service level agreement and contract is key.
The most important asset that we are trying to protect with all of the above is the person behind the wheel. Reducing the impact to people is the priority – even though in a lot of cases it is the person who has caused the problem.
In the World of Information Security and Cybersecurity – Risk is everyday factor that we have to contend with.
It is mitigated, transferred, tolerated, accepted but never ignored. The only way of avoiding it is to not partake in that activity – but all organisations need to use network-based computers, create, store and process data, use software, use processes and the biggest threat – employ users. So we have no option other than accept the risks involved.
Procedural controls in the form of data protection laws and regulations, Information Security and Cybersecurity standards and policies help us to protect and inform us of the correct actions we should take. A whole host of procedural controls are put into place to safeguard the risks. User training and awareness being a great example.
Physical controls are used to ensure correct access and prevent loss through theft and new technologies involve more sophisticated and more technical controls to mitigate these risks.
Technical controls are numerous and help to protect, prevent and monitor users and devices at all levels. These may assist in protecting assets such as the infrastructure, sites, systems and data. And they also keep people safe – which is the main objective of any security solution.
The best security solution in all cases – is to layer in as many risk controls from across all categories as possible – as long as they are appropriate to whatever it is that you are trying to protect or defend. This concept is known as Defence in Depth.
In order to do this – you have to know what assets you have and the threats and vulnerabilities involved.
But probably our biggest threat and vulnerability in all cases is the poorly trained, misguided, unaware or disgruntled user on the inside. Users are also the most important assets to an organisation (not the disgruntled ones!).
Unfortunately – regardless of the amount or type of risk management we put into place – it will never remove it completely but hopefully we reduce it to an acceptable level which swings the balance and reduces the likelihood and impact in our favour.
Sometimes driving conditions can be challenging. Being a good driver requires a range of skills and knowledge and for most is a important part of life. Governance, Risk management and Compliance help keep you safe.
Cybersecurity and information security risk is a daily challenge and not for the faint hearted! It takes a wide range of skills and knowledge and is an important part of business at all levels. GRC teams help keep you safe.
Highway Code and Prosper!
