Cybersecurity Risk Management Steps to Protect Your Business
Cyberattacks can happen to anyone. Whether you’re an individual with a single device or a corporation with a huge network, cybercriminals can find a reason to attack you. As a business, cybersecurity risk management is especially important. Because a cyberattack can have such a devastating effect on your business, it’s vital to have both a risk management plan and a tested response plan in place.
See The Importance of Testing Your Cybersecurity Response with Steve Orrin for a complete transcript of the Easy Prey podcast episode.
Steve Orrin is the Federal Chief Technology Officer and Senior Principal Engineer for Intel Corporation. His job revolves around helping the federal government and public sector adapt to current and future technologies, as well as push the envelope of what’s possible in hardware, software, and cloud service. The other part of his job is to be a “two-way communicator,” so to speak. He helps translate government terminology and Intel terminology so those two very different worlds can understand each other better. It’s a surprisingly important role in IT and security. When entities that have a very different vocabulary are trying to work together, it’s hard to make good decisions if they don’t understand each other.
Where to Begin with Cybersecurity Risk Management
It’s a question that needs to be asked up front: When you’re trying to improve your company’s cybersecurity risk management, where do you start? IT in general, and security in particular, have a limited budget, a limited workforce, and an infinite amount of vulnerabilities and exploits to deal with. It’s impossible to protect against everything from everywhere. So where should you start, and what can you do to make the biggest difference?
You can’t secure what you don’t know.
Steve Orrin
The first step of cybersecurity risk management is understanding the risk environment. It’s impossible to secure something if you don’t know what it does, where it’s vulnerable, or even that it exists. You have to start by understanding your business’s assets, services, and resources. Whether it’s a formal catalog or just an assessment of the things you’re trying to protect, that’s your first step.
What really drives successful cybersecurity risk management is understanding the risks associated with those assets. Not every system is your most critical system, and not every attack is going to bring your system down. This is often lost when people look at the big frameworks. Successful Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) are able to do assessments of both the systems and the data that need protected. Once you know what’s essential to keeping operations going, you can prioritize your risk management.
Analyzing the Next Step
Now you understand the environment and have an idea of your risks. The next question to ask is what you can do differently and what technologies can you implement to improve your cybersecurity risk management. Many times people get to this stage and start talking about what the security pros have been talking about for years. You need better security hygiene, more patch management, active sensors for detection, and everything else. The reality is that most large, and even most medium-sized businesses are doing that already. If you look at the checklist, they have great security hygiene, are doing best practices, and are in compliance with regulations. But they’re still getting attacked.
The question isn’t how to do better security hygiene. It’s what you can do above and beyond those fundamentals to make a measurable difference in security. If you look at most CISOs’ budgets, about eighty percent of it is going to antiviruses, firewalls, data protection, and other security hygiene initiatives. But what is that other twenty percent doing to improve your cybersecurity risk management? It’s often difficult to impossible to prevent attacks. But if you can limit the impact of an attack and prevent it from becoming catastrophic, that can make a massive difference.
Understanding risk management isn’t about solving every security problem, it’s about managing the risk.
Steve Orrin
Cybersecurity Risk Management with Microsegmentation
Steve highly recommends network segmentation and microsegmentation as one technological approach to cybersecurity risk management. It’s not the sexiest part of a security strategy, and it often doesn’t require any new technology or products. You probably already have the core infrastructure. But it can provide three massive benefits to your cybersecurity risk management.
Benefit #1: Microsegmentation Contains the Threat
Microsegmentation takes your larger network and breaks it into smaller, isolated enclaves. When one of those smaller network enclaves is compromised, the threat is contained. It may wreak havoc in that one specific area, but it can be contained more quickly and won’t spread to the whole organization. A ransomware attack at one branch office, for example, may take down that office, but it won’t spread to headquarters or any of the other offices. Microsegmentation allows you to better contain threats.
Benefit #2: Microsegmentation Allows for Better Policies
Whether you’re going down the path of zero trust network security or trying risk management infrastructure, one tenet of cybersecurity risk management is specific and dynamic policies. A one-size-fits all policy is almost useless. It has to fit almost every situation, so it’s so broad that it does little good. Microsegmentation allows you to implement specific and granular policies for each segment. That provides better control over each segment. Plus, it allows you to make policy changes in response to a new threat in one area without having to revise the policy for everything.
Benefit #3: Microsegmentation Allows “Threat Canaries”
Microsegmentation allows for a concept that Steve calls “threat canaries.” Most companies have existing infrastructure, and they don’t want to upgrade all of it. With microsegmentation, you don’t have to update it to the latest and greatest. Instead, you can create network segments, and then drop a sensor or node into that environment. The node can have all the latest and greatest technology and have its sensors turned up to the highest setting.
In unsegemented networks, sensors can provide a lot of false positives. If you’re specific with what the sensor is looking for, putting it in a very general environment results false positives more often. But if you put it in a microsegmented environment, you can tune it to the specifics of that environment. It can be a “canary in the coal mine” and alert you to more threats and alert you to them sooner with fewer false positives.
When That Many Sensors Aren’t in the Budget
Putting sensors in every segment can be expensive, especially if microsegmentation broke your network into a lot of segments. Most people assume that if there’s only room in the budget for one or two sensors, they should be placed in the most critical areas.
Instead, Steve recommends putting them in the most exposed segments. Whether it’s the most exposed because it has the most internet access, has the most employees going in and out, or another reason, you have to think about both where you want to put it and where the risk is. Cybersecurity risk management is about reducing that risk. Ideally you would put sensors in every network segment. But if you can only add one, putting it in the most exposed segment is a good choice.
Steve has also seen that once you start getting good data from that sensor, it provides a business justification for more sensors. If you can say that you put a sensor here and that data is helping you catch and block these many threats, it’s an excellent way to justify the cost. The data shows the sensors actually provide value and can show a measurable impact on your cybersecurity risk management.
Protecting Data for Cybersecurity Risk Management
After you’ve done the network microsegmentation and added those sensors to the segments, the next step is to look at your company’s data. In the modern world, data is king. It’s the oil that drives an enterprise. People understand that you have to protect your data, wherever it is. Is it being stored securely? Is it being transferred securely?
But those aren’t the only questions that need to be asked. What about when it’s actively being changed? Is it in the cloud at all, and if so is it secure there? Is it secure in virtualization? What about when it’s in a container and being transacted upon? How do you protect the data there?
If you use cloud services, many cloud providers are starting to offer confidential computing. This allows you to protect the “last mile” of your data. Your data is protected from others in that cloud environment, and it lets the cloud provider out of a trust control space. The cloud provider doesn’t have to be in your trust domain because with confidential computing, they have no access to any of your data. You are completely in control of your data’s security and how it’s accessed. There’s not a lot of widespread adoption yet, but the services are there.
The “Last Mile” of Cybersecurity Risk Management
Steve always recommends people start planning for the “last mile” of security. You have transfer security, network encryption, and full disk encryption, so why are you still having a data breach problem? It’s because the attackers are grabbing that data out of the database as it’s queried, because at that point it’s no longer encrypted. By encrypting data even while it’s in use, even if someone could steal that data it’s less risky.
Another thing every company should do is move from an audit or annual check process to continuous monitoring of both the data and the environment. Steve has seen examples where things were being monitoring but the data didn’t provide the right context because the threat profile had changed. Even if you’re always monitoring, if the threat environment changed, you have to make sure the risk profile is updated.
It’s really about continuous monitoring and continuous or dynamic policy and risk management.
Steve Orrin
When you look at large-scale data breaches, there were often terabytes of data lost. Yes, there was a breach that wasn’t patched. But where was the exfiltration monitoring? There was data going to some external IP address, and because nothing was monitoring, nobody noticed. Even if it was a small trickle for a long time, it could have been noticed.
New Businesses Don’t Have an Advantage in Cybersecurity Risk Management
There’s a perception that new businesses have an advantage when it comes to cybersecurity risk management. When there aren’t structures in place, people assume that you will be able to create secure systems right up front. But in existing businesses, cybersecurity risk management requires changing existing systems and convincing people set in their ways to do something different. They’re already making a lot of money with their current approach, so the perception is that they will avoid change and it will be a struggle.
But one thing that Steve has noticed in larger organizations is that they’re not actually sitting still because their customers aren’t sitting still. Very few large businesses are static in this day and age. They’re all adopting digital technology, transforming, and modernizing. Even in billion dollar industries that have been around for a long time, there’s constant transformation. In some cases, being an established business can be an advantage because they already know how they’re moving data around. The challenge is only to transform it.
The truth is that no one is immune from a cyberattack. A meat packing plant in Australia was attacked, and it would be hard to find a less sexy target to attack than a meat packing plant. But that attack emphasized how every aspect of our lives is becoming digital. That plan relied on digital infrastructure to move meat through the system. When ransomware hit, the plant shut down. No matter how old your company is or what you do, cybersecurity risk management is essential.
The Challenge of Ransomware
Ransomware attacks are especially challenging because they don’t have to have an intentional target. There are three modes of ransomware attack. The first is targeted. The attacker goes after a particular business for a particular reason. The second is opportunistic. The attacker casts a wide net to see who isn’t paying attention to cybersecurity risk management, and once they get to any system in they see what they can target. The third is purely automated. The attacker sets up an automated attack to target anything and everything and set up crypto mining malware whenever they get in. They don’t care if they got into a bank or a random individual’s laptop because the goal is cryptocurrency mining.
Everyone is a potential target, even if you’re not being targeted.
Steve Orrin
The challenge from a CIO and CISO perspective is that there’s no way to know the attacker’s intent even after they’ve gotten in. Attribution is difficult and rare. The automation and tools available these days let them go pretty deep into your systems without having to craft a unique spear phish for one particular executive, or even choosing to target your company in particular.
Make a Plan, Then Run the Plan
The goal isn’t to be 100% protected, because that will never happen. All the standards around cybersecurity risk management are around resiliency. There are two important questions to ask. The first is, how can you continue to run your business while it’s being actively attacked or exploited? And second, how do you get back to a good known state in a timely fashion? Cybersecurity response plans, disaster recovery, and operating under attack approaches can help with this. Create a plan for dealing with this potential worst-case scenario.
Once you have that plan, actually run it. Not just with IT or security, but with everyone. In a real crisis, legal, marketing, the board, and everyone else will have a roll to play. Run the full exercise with everyone involved. Steve often sees that when something actually happens, even if there’s a good plan people spend a lot of time trying to figure out what they’re supposed to do. But if you’ve run through the full response in a simulated scenario, everyone knows their role and what needs to be done.
Even in big companies, board members tend to appreciate being brought in as part of this exercise. It helps them get a better sense that you’re taking security seriously. It also helps them get an understanding of what’s being done security-wise in this company that they run, and they often start to spread the message about best practices to the entire organization.
Cybersecurity Risk Management in the Technology Supply Chain
As a business, you can control what’s on your servers. But another factor of cybersecurity risk management is the technology supply chain. Whether it’s a website hosting company, a software supplier, or anyone else, you have to also manage cybersecurity risk with your partners and their partners. If someone several links down the supply chain gets compromised, the attack could work its way through the system to you, even though your business was never compromised.
It’s a challenge that’s being brought up in boardrooms and agencies now as everyone is trying to find answers. With events like Log4j and SolarWinds in the news, people are trying to figure out how to protect businesses from supply chain attacks.
You can’t secure what you don’t know. You can’t know unless you’re able to get that information.
Steve Orrin
The first step in the process is transparency and visibility. You can’t secure anything until you know what you have. When the system is provided by someone else, you need information to know what you have. This could be as formal as a Software Bill of Materials (SBOM), or just understanding who your supply chain partners are and their ecosystem. Having transparency and visibility will help you make better risk decisions.
Transparency Isn’t Security
This visibility and transparency with the partners in your supply chain won’t give you better security. A SBOM doesn’t create a firewall, and understanding your partners’ ecosystems won’t encrypt your data. But cybersecurity risk management isn’t just about actually securing things. It’s about making better decisions based on understanding the risk. Once you have the information from the partners in your supply chain, you can make better decisions.
The decision could be as dramatic as deciding there is too much risk and you’re not going to leverage this product. More often, it involves using the product anyway but understanding the risks it offers. Then you can implement additional cybersecurity risk management measures to compensate for those risks. If you work with a supplier who doesn’t give you a lot of visibility, you can monitor that product more closely. Sometimes, asking for additional visibility can help. Steve recommends requesting specific visibility artifacts in your contract where possible.
The last piece is that you can’t make it a checkbox. The SBOM or visibility information shouldn’t just check a box on your list and then go into a file. For cybersecurity risk management through your supply chain, you need to use that content. That means actually reading it, extracting the relevant details, and using them to make risk decisions. It’s a lot of work, but you end up with better security.
The Biggest Blind Spot in Cybersecurity
The most-overlooked risk factor in cybersecurity is things that came into the organization through the front door that were approved. There’s a lot of tools out there looking for malware. They do a great job looking for an anomaly up front. These tools are fantastic at a lot of the security hygiene stuff, and do a great job if the problem is something weird on the network or a file that doesn’t belong. Where they don’t do a great job is product specific monitoring.
If an attacker gets into an approved piece of software or system, these kinds of tools won’t pick it up. The thing that’s often missed is monitoring everyday processes like your word processing program, your ERP application, or the website that your client is seeing. Those things need to be monitored. And if they’re acting strangely or there’s something anomalous, it needs to be checked out. And above all, if people report that something is acting weird on your customer-facing website or software, take it seriously and look beyond the code. Monitoring is essential to catch problems early, but if you’re not monitoring fundamental things, it’s easy to miss a potential disaster.
The best way to connect with Steve Orrin is on LinkedIn at linkedin.com/in/sorrin. You can also view some of the materials he’s written at intel.com/publicsector. That’s also where you’ll find all his government recommendations and most of the work he’s doing on cybersecurity.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Protect Against Ransomware by Planning for Ransomware
Ransomware is a huge cybersecurity threat, and it’s only growing. It’s especially a risk for businesses, but…
[Read More]PIA: Private Internet ACCESS
The Private Internet ACCESS VPN will deliver the security, performance, and online access most users want. Behind...
[Read More]Everything You Need to Know about Spyware, the Malware that Stalks Your Online Activity
Spyware may sound like something James Bond or another secret agent might use in the latest spy…
[Read More]Easy, Non-Technical Ways to Protect Your Privacy Online (And Why You Need To)
We all use technology at some point in our lives. Sometimes that technology is as simple as…
[Read More]ExpressVPN
ExpressVPN has long had the reputation of being one of the best, fastest, and most secure VPNs…
[Read More]Gmail Confidential Mode: Useful but Imperfect for Email Privacy
Email is a tool that most of us use every day – sometimes all day. And while…
[Read More]