Dan Matthews identifies the IT risk management best practices that CTOs must implement to keep the organisation properly protected
IT risk comes in many forms, from the generic to the specific, known and unknown. It is present in internal operations and in the ambitions of malign forces acting beyond national borders. With so much consider, how can you manage IT risk without impinging operational efficiency?
First, decision-makers must accept that IT risk is business risk, requiring a holistic strategy, and should not be left to tech departments to sort out, according to Tarquin Folliss, director of corporate affairs at Reliance acsn.
“Organisations fail to mitigate IT risk when they consider it in isolation and view it as a purely technical issue. IT departments are not security experts, yet many organisations hold their IT departments responsible for IT security.”
A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.
When we talk about risk, what we really mean is each organisation’s unique set of vulnerabilities. These loopholes are monitored, generically and specifically, by bad actors who would exploit them for financial or political gain, or occasionally just for clout.
The first step, then, is to understand centres of risk within your organisation. These evolve with tech advances and behavioural change, for example with the transition to hybrid working brought on by the Covid-19 pandemic.
“This has presented new challenges with expanded networks beyond the traditional office environment: no physical barriers or access controls, reduced VPN effectiveness, more endpoints and a greater attack surface to monitor,” says Folliss.
“Remote working distorts an IT security team’s ability to manage and control the network and introduces new threats and vulnerabilities – and thus new risk.”
So your analysis can’t be a one-off, rather a continuous, rigorous, and honest programme of testing and assessment that gets to the heart of an organisation’s DNA, says Pascal Geenens, director of threat intelligence at Radware.
“This involves having people think like an attacker and test existing security controls against known vulnerabilities and attacks,” he says. “Given the dynamic nature of the infrastructure and the continuously changing threat landscape, a one-off red teaming or pen-testing exercise is not adequate. It should be a practice that is continuous, integrated in the existing controls, closely measured and reported on by management.”
This should be accompanied by organisation-wide cultural change that emphasises everyone’s role in maintaining integrity. Corporate-level spotlighting of data privacy and security, supported by non-tech executives at the top of the business, reduces the risk of head-slapping mistakes.
“Fostering a cyber security culture can present a stronger front against IT risks than any single policy or procedure, and will outlast individual turnover and isolated incidents,” says Erfan Shadabi, cyber security expert at comforte AG.
“Organisations can and should create a cyber security culture by weaving it through procedures and practices, engaging employees on the shared risk and the shared rewards and maintaining an active internal conversation.”
Another pillar in the construction of a robust security set-up is incorporating software that protects against viruses, spyware and ransomware. This could be as simple as selecting operating systems with security built-in or restricting devices so that can only run software from an approved enterprise app catalogue.
Here, your mission is complicated by personal or dual-use devices, particularly in hybrid or home-working scenarios, in which case anti-virus software may become part of your plans. In either case, evaluating your risk surface and covering weaknesses is a must.
“Not only do security tools significantly increase our resilience against cyber threats, they also free up our security teams to focus on the equally critical organisational dimension of compliant data processing,” says Scott Richardson, chief security officer at Crayon Group.
But, even with the most rigorous controls, no organisation is invulnerable to digital threats, and a comprehensive security strategy must include protocols for what to do when a breach occurs.
So called “zero days” – in which flaws are discovered by the IT team after the fact – are common, and bad actors are always looking for weak points to exploit before they are patched. It gives criminals a window of opportunity to freeze infrastructure for blackmail and extortion.
According to Geenens, organisations must respond to this unpleasant reality by rehearsing attacks through simulation, ensuring you can act efficiently and adequately in the event of a real breach.
He adds: “Visibility, in terms of logging and tracing, will allow an organisation to assess the damage and what or who was impacted by the breach. It will also allow an organisation to have greater confidence that all sources and compromised devices were remediated, and no further risk is lingering inside.
“In the case of ransomware attacks, having a good test recovery plan is a minimal requirement. Even in the case of paying off the attackers, parts of the servers and data might not be recoverable. You should not trust in the reversibility of the malicious actors’ actions.”
How to prevent a cyber event
Risk is something businesses – like individuals – must accept and live with.
Folliss believes that, in the absence of total security, organisations should focus on becoming resilient, with an emphasis on discovery, awareness, planning and preparation.
“Events or incidents, by their nature, occur outside an organisation’s control, in the physical world as well as cyber space,” he explains.
“But a cyber event has a velocity and scope far greater than a physical event. How rapidly and effectively an organisation responds to a cyber event is critical to minimising the impact. That only comes through preparation.”
He recommends organisations tick-off the basic steps outlined by the National Cyber Security Centre (NCSC). These are seemingly obvious, but Folliss says he’s surprised how many organisations don’t adhere to them:
- Have a robust password management policy in place and enforce it.
- Manage patches efficiently.
- Back up your data, preferably ‘air-gapped’ from your network.
- Manage access and, where practical, initiate multi-factor authentication.
- Plan for an incident, test it and practice it.
To this list, Geenens adds visibility through logging, measurability of security controls, and incorporating automation, where possible, to keep up with the continuously evolving threat landscape.
By keeping these points ticked off, you can prevent your organisation from becoming the sort of low-hanging fruit all criminals love to exploit – and thereby shield your business from the worst the cyber underworld will throw at it.
Written by Dan Matthews, freelance business journalist
Bank IT compliance: how financial services can stay compliant with regulations — Financial services compliance is a big area. Antony Savvas looks at strategies that can help organisations stay on the right side of the law, meeting regulations and industry-adopted standards.
Considering security risks from third parties in the supply chain — Simon Eyre, chief information security officer at Drawbridge, discusses how organisations can mitigate security risks brought by third parties in the supply chain.
Operational resilience is much more than cyber security — Adrian Overall, CEO of CloudStratex, discusses the facets of operational resilience that organisations need to take into account.