As companies continue to respond to the global pandemic, millions of their employees are working remotely, often from home. While this is the recommended response, it’s also creating new cyber risks.
More specifically, organizations face four daunting challenges today that significantly increase their risk exposure:
Distributed workforce: Organizations have created a distributed workforce on an unprecedented scale. But many of these devices are not up to date with the latest patches and hence poses a big risk to the organization.
Shortage of security staff: IT teams rushed to get the relevant hardware and software to the employees. This placed a huge stress on already-taxed IT teams to support everything from expanded remote work to fundamentally new operating models.
Rapid migration to the cloud: To ease some of the stress, organizations are migrating to the cloud. Unfortunately, they’re also noting an increased frequency of intelligent attacks by bad actors.
Lack of visibility: Even before the pandemic, many IT teams struggle to accurately assess machines on their network, which users have access to corporate resources, the software installed and what is actually being used. Today, as the attack surface has broadened with personal devices, these visibility gaps have become pervasive.
Risk as gain, not loss
In a progressive approach to risk, compliance specialists come together with IT security and operations to improve posture and compliance across the organization. In theory, that means gathering and analyzing data on the regulatory environment, security and privacy, and configuration management at one time. Only through that deep level of operational alignment can true technology risk management take place.
To do that effectively, we have to start by thinking of risk as something to gain, not to lose. In this view, risk becomes a window through which organizations can assess their health as it relates to operations, security and regulatory status—a view of the organization over time.
Cyber risk management that works
There are four key elements of risk management. To turn risk into a business gain, each needs to be handled properly:
Data collection: Many IT teams start their risk assessments by making decisions based on data from multiple products and discrete tasks. Unfortunately, this can result in a time-consuming process of reconciling these systems.
Analysis: Once data is gathered, it’s analyzed and categorized into various risk categories. Ideally, this is done continuously, not as a once-a-year effort. Infrequent assessments will fail to provide a clear and current picture of the organization’s risk posture.
Remediation: Once analysis is signed off, organizations should be well positioned to recommend or perform remediation actions to mitigate their risks. Prioritization is especially important because it helps IT teams improve their productivity and efficiency.
Reporting: The acute delivery of risk posture is the last and arguably most important step. Gathering comprehensive risk metrics and synthesizing it for executive-level reports can inform decision-making. Only by understanding their organizations’ risk postures can the board and the C-suite guide the business through effective risk decisions and gain greater oversight of its risk profiles.
6 steps to reduce your cyber risk and protect your business
Breaking down silos around risk management allows organizations to make more holistic choices. Here are six steps your organization can take to guard against cyber risk and turn risk into a business gain:
Limit user privileges: Organizations can mitigate the risk of cyber attacks by reducing their attack surface proactively. While this is easier said than done, it’s not impossible. Almost all attacks take advantage of user privileges to facilitate the assault. For example, if a phishing attack successfully breaches an employee machine or account, the assailant can move laterally through the network until the desired data is acquired.
This is one of the consequences of bad hygiene, which develops as people move across departments and jobs within a company. If their access rights are merely expanded every time a transition occurs, the risk of vulnerabilities will inevitably increase. Employees should only have access to the data and networks that are directly related to their current job – nothing more, and nothing less.
Discover sensitive data: Most hacks seem to be about money or destruction, but both results can be achieved by going after a company’s most sensitive data. For example, among retailers and service providers, payment-card information is a top target. Similarly, corporate data can be sold or used to embarrass a business. Organizations need to take a proactive approach, first by ensuring that privileged data is protected, and then by ensuring that the risk of unidentified assets is controlled.
Confirm compliance: Compliance risk reporting helps organizations understand the full range of their risk exposure. That includes the likelihood that a risk event may occur, the reasons it may occur, and the potential severity of its impact. An effective compliance assessment can also help organizations prioritize their risks, map them to the applicable risk owners, and effectively allocate resources to risk mitigation.
(Tanium reported that global businesses each spent an average of $70 million over the last year to satisfy the requirements of the California Consumer Privacy Act. Yet despite this hefty investment, a large majority (91 percent) of respondents continue to endure fundamental weak points that prevent a comprehensive view of their IT estate.)
Get executive buy-in: CIOs have a lot on their plate, but one of their biggest concerns in dealing with cyber threats is the struggle to effectively communicate IT risk to nontechnical executives and the board. Even the most tech-savvy business leaders find it difficult to keep up with the scope and pace of developments related to cyber risk. Once CIOs get this buy-in, they should invest in technology to automate performance reporting, provide metrics to track risk mitigation, and facilitate data-driven conversations around investments.
Benchmark for relevant results: By comparing the risk performance with similarly sized companies in the industry, businesses can more accurately measure the effectiveness of its risk mitigation programs. Benchmarking provides an excellent method for doing this, helping organizations align investments in the most critical areas. For example, while financial services are heavily regulated and thus required by law to protect customer data, utilities are required to protect their assets against attack. Also, differences can occur across organizations of different sizes.
Prioritize and automate: The goal of any solution is to make your organization more efficient. Risk solutions can help by providing a consistent data-driven prioritization scheme and automating actions. This has a potential of making teams significantly more productive.
Make smarter decisions to overcome vulnerabilities
Organizations should do whatever they can to make cyber risk a business gain, not a loss. They can do that by making informed, data-driven decisions based on real-time data, and implementing analysis continuously and routinely. True technology risk management is impossible without continuous monitoring of business-critical assets.
cyber risk, business
- ISO 27001 Lead Implementer
- ISO 27001 Foundation
- ISO 27001 Lead Auditor
- Certified Information Security Manager (CISM)
- Certified Information Systems Security Professional (CISSP)
- Certified Chief Information Security Officer (CCISO)
- Cybersecurity Professional
- Cybersecurity Lead Implementer
- Cybersecurity Lead Auditor
- Certified Ethical Hacker (CEH)
- Computer Hacking Forensic Investigator (CHFI)
Mehrotra, Payal (2020) Why you should make cyber risk a business gain, not a loss. Recovered on 12 January 2021 from https://www.helpnetsecurity.com/2021/01/06/cyber-risk-business-gain/12