[Author: Javier Gutierrez]
Cyber risk management has grown significantly in importance over the past two years, as companies overcame the operational challenges of the pandemic, transitioned to hybrid working, prepared for the possible fallout from significant geopolitical events and emerging cyber risks.
Governments have invested heavily in creating organizations that monitor threats and provide practical advice to businesses and organizations, to help them prepare for cyber attacks, develop strong cyber risk management programs and ensure resilience. .
Organizations such as the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Center (NCSC) regularly issue advisories on the general state of business preparedness for cyberattacks. in the United States and the United Kingdom. Their goal is not to be alarmist but rather to educate business leaders and teams about the emerging cyber risks they face and the practical steps they can put in place to mitigate them. Typically, these tips echo advice offered by information security teams within organizations and help validate many of the business cases for investing more in cybersecurity projects and cyber risk management initiatives.
CISA recently reviewed its FY2021 risk and vulnerability assessments, which covered risk and vulnerability assessments (RVAs) for 112 U.S. federal government and private sector organizations. This RVA review has highlighted some of the patterns malicious actors use to attack and exploit networks, including initial entry, attack execution, persistence, privilege escalation, and exfiltration. It also highlights the business impact and provides practical steps for each aspect that businesses can take to resolve the issues.
In the FY2021 review, critical risks reported by CISA included phishing attacks and widespread use of default security credentials. The analysis highlighted the need for regular training on phishing attacks and the use of strong passwords, which are regularly changed. The report also highlighted the need to regularly review intrusion techniques so that when incidents occur using new techniques, organizations can respond quickly. Other issues highlighted the need to change default passwords, regularly update and patch software, and find and repair open ports.
These sentiments were echoed in a recent report by Britain’s NCSC, highlighting the particular risks associated with enterprise connected devices (ECDs). ECD devices include laptops, smartphones and enterprise Internet of Things (IoT) devices which are physical devices – think refrigerators, smoke detectors, cameras and occupancy sensors, for example – that contain network connectivity capabilities that allow them to be controlled remotely. ECDs are popular because they provide management flexibility and efficiencies in many work environments.
However, while popular, ECDs can pose a significant security risk, given the lack of understanding among most employees of the security risks involved and the lack of visibility of these devices in an office park. The NCSC report highlighted many of the threats that ECDs offer. Hackers use them as a starting point to access other, more secure systems. The lack of visibility of IoT devices and the use of default security settings means they are suitable for lateral attacks to other systems that can lead to data theft or ransomware attacks, for example. The use of these devices in a company’s supply chain also poses a threat, where even if a company has strict ECD policies and monitors itself, its suppliers may not.
This situation highlights the problem companies face as to how best to respond to cyber risks, impacting both the organization and third parties, when resources and costs remain constrained.
New technological capabilities are encouraging security teams to rethink how best to meet this type of challenge. They can now offer another way to manage cyber risk by placing the implementation and monitoring of a company’s security policy in the hands of end users and their managers, rather than just a security team. reduced and overwhelmed.
A SaaS-based approach means security teams can provide an easy-to-browse library of security policy documents with powerful search and question-and-answer capabilities that allow employees to understand their obligations at a pace that suits them. as well as their projects. Training and testing capabilities help improve employee skills and awareness of new and emerging security threats. Attestation capabilities allow them to document and provide evidence of compliance with security standards. AI capabilities allow information security teams to know where standards are not being met, as specific business needs change.
This approach allows information security teams to better guide the organization and third parties on their cybersecurity policy at a pace they can all manage. It also means that the information security team can continue to be the final arbiter of the cyber risk management program.
[View source.]