Not All Security Risks Are Created Equally
Information security risk is defined as a gap that could potentially be exploited, leading to financial or reputation loss. Companies may use several security testing products in addition to risk-assessment services to detect their security gaps. However, as systems become more complex, and attacks become more sophisticated, risks become more prevalent, and the sheer number of security gaps exceeds many organizations’ remediation capabilities. For example, if your team identifies 1,000 security gaps but can reasonably address only 100; where should it start? How should remediation proceed?
If you spread your resources across all potential risks, you won’t be able to address any issue adequately, leaving your organization more vulnerable to an attack. Risk prioritization is the best way to combat these problems. It helps companies whittle down a massive pile of risks to a manageable list that a security team can realistically address while keeping their organization secure. The prioritization component is critical. You don’t want to dedicate resources to security gaps that aren’t likely to pose severe threats to the business. Here are three time-tested tips for developing a risk-based, decision-making strategy to prioritize security gaps.
Think Like a Cybercriminal
When you consider some of the high-profile security breaches from earlier this year, there are helpful clues for learning how to prioritize security risk. For example, recall the Colonial Pipeline cyberattack, which shut down a top U.S. pipeline for several days and resulted in a $5 million ransom payout. An audit of the breach revealed that the attackers exploited a legacy VPN. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network. So, how does that tie into prioritization? It’s a reminder that hackers are always looking for the lowest hanging fruit — i.e., the path of least resistance — to a victim’s network. Learn to think like a hacker and ask yourself, “What’s the path of least resistance to our IT ecosystem?” Besides the mistake Colonial made in not revoking the VPN credentials after a remote worker left the company, there are other common themes seen in major security breaches, such as:
- Unpatched systems
- Easy-to-guess passwords
- Failing to use multifactor authentication (MFA)
- Giving employees unnecessary access to sensitive areas of the network (e.g., admin access) rather than only what they need to perform their jobs (i.e., least privilege access)
Put Vulnerabilities in Context
Understanding the business context surrounding a risk can help your team anticipate potential attack paths, including those involving subsidiaries, suppliers and other connected third parties. Evaluating risks through the lens of business importance and attractiveness to attackers is one of the most vital yet neglected elements in security. It lets organizations know whether there’s a legitimate threat to a material business process.
Determining the business purpose and public exposure of an asset entails many factors. Typically, companies waste precious hours …
- Page 1
- Page 2