Do you know or have control on how your risk solutions are accessed?

Are your organisation's security, incident, crisis, travel and response team members IT savvy enough ... what technologies are they using ... are they themselves a risk?

It is an interesting, if awkward, question to ask yourself. A new employee to one of these teams receives their new laptop, they use the default browser, maybe add some plugins, use their AI of choice to aid writing some text etc. ... what risks should you consider both from an IT perspective and from overall governance in how you deploy risk solutions ...

• What browsers are my users utilising when accessing the risk software when on their desktop, laptop, tablet and mobile handsets?

• What plugins, extensions, AI tools and content blockers may be installed in those browser that may create issues?

• What browsers are actually supported by the risk solution vendors? Are they supporting sufficiently up-to-date versions and how quickly are they keeping up with browser and operating system updates?

• Is the software itself rendering correctly within those browsers? So can I see all the information I am supposed to, are important visuals drawing right (maps etc.), is anything not been shown because of browser issues?

• Do all those devices have sufficient protection from malware, viruses etc. and are they being updated?

• Is there anything running within the browsers taking text/data from the web page being shown and processing it elsewhere ... to a hosted site not supported or compliant with your IT standards (SOC2, GDPR etc.)?

• What is the risk of the connection your device is using? Is it on your corporate network, a home network, are VPNs set up correctly, are they using public WiFi (such as at an airport or hotel)?

• If your users have access to highly sensitive information and content, do you have anything in place to validate much of what is discussed above?

This list could go on and on ... this is not just about IT compliance, it is also about personal responsibilities around the technology your people use when accessing your risk solutions ... and significantly, does your governance not only guide on all of this ... but tell you when you are non-compliant?