[Author: Javier Gutierrez]
Cyber risk management has significantly escalated in importance, during the last couple of years, as a result of companies overcoming the operational challenges of the pandemic, transitioning to hybrid working, preparing for the possible fallout of significant geopolitical events and emerging cyber risks.
Governments have invested heavily in building organizations that both monitor threats and provide practical advice to companies and organizations, in order to help them prepare for cyber attacks, develop strong cyber risk management programs and ensure resilience.
Organizations like the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) regularly publish reviews about the general state of preparedness of businesses in regards to cyber attacks in the US and UK. Their goal isn’t to be alarmist but rather to educate business leaders and teams about the emerging cyber risks they face and the practical steps they can put in place to mitigate them. Typically, this guidance echoes the advice offered by information security teams within the organizations, and it helps validate many business cases for investing more heavily in cyber security projects and cyber risk management initiatives.
CISA recently reviewed its FY2021 Risk and Vulnerability Assessments, which covered risk and vulnerability assessments (RVAs) for 112 organizations in the US Federal Government and the private sector. This RVA review highlighted some of the models that malicious actors use to attack and exploit networks, including, initial entry, attack execution, persistence, privilege escalation, and exfiltration. It also highlights the impact on businesses and provides practical steps for each aspect that companies can take to address the issues.
In the FY2021 review, the critical risks that CISA flagged included phishing attacks and the widespread use of default security credentials. The analysis stressed the need for regular education about phishing attacks and the use of strong passwords, which are regularly changed. The report also highlighted the need to review intrusion techniques regularly so that when incidents occur using new techniques, organizations can respond swiftly. Other issues highlighted the need to change default passwords, update and patch software regularly, as well as find and fix open ports.
These sentiments were echoed in a recent UK NCSC Report, highlighting the particular risks involving enterprise connected devices (ECDs). ECD devices include laptops, smartphones, and enterprise Internet of Things (IoT) devices that are physical devices – think fridges, smoke detectors, cameras, and presence detectors, for example – which contain network connectivity capabilities that allow them to be controlled remotely. ECDs are popular as they offer management flexibility and efficiency savings to many working environments.
However, while popular, ECDs can pose a significant security risk, given the lack of understanding amongst most employees of the security risks involved, and the lack of visibility of these devices across an office estate. The NCSC report highlighted many of the threats ECDs offer. Hackers use them as a starting point to access other, more secure, systems. The lack of visibility of IoT devices and the use of default security settings means they are suitable for lateral attacks into other systems that can lead to data theft or ransomware attacks, for example. The use of these devices in a company’s supply chain also represents a threat, where even if a company has tight ECD policies and controls itself, it can be the case that its suppliers do not.
This situation highlights the problem businesses face regarding how best to respond to cyber risks, impacting both the organization and third-parties, when resources and costs remain constrained.
New technology capabilities are encouraging security teams to rethink how they best tackle this type of challenge. They can now offer an alternative way of managing cyber risks by placing the implementation and monitoring of a business’ security policy in the hands of end-users and their managers, rather than just a small – and overstretched – security team.
A SaaS-based approach means security teams can provide an easy-to-navigate security policy document library with powerful search and Q&A capabilities that allows employees to understand their obligations at a pace that works for them and their projects. Education and testing capabilities help enhance the skills and awareness of employees about new and emerging security threats. Attestation capabilities allow them to document, and provide evidence of how they are complying with security standards. AI capabilities enable information security teams to know where standards are not adhered to, as the specific business needs change.
This approach allows information security teams to better guide the organization and third-parties about their cyber security policy at a pace they can all manage. It also means that the information security team can continue to be the final arbiter of the cyber risk management program.
[View source.]