How to Implement a Risk-based Security Strategy
With IT security budgets and resources under pressure and the risk of cyber-attack increasing security officers can often feel overwhelmed.
They can sometimes struggle to determine which assets should be protected and how to protect them. A risk-based security model can help identify an organisation’s most valuable assets and indicate where time and money is needed most. However, many organisations are unsure how to implement it in a practical way.
The range of attack surfaces is increasing as threats become more sophisticated, similarly the tools and technologies to deal with such threats are also evolving at a rapid pace. For those tasked with ensuring security of assets and data it can make decision making all the more difficult given the range of threat and solution. A risk-based strategy adopts a more scientific, factual approach to help with the decision-making process.
The key challenge lies in addressing 3 areas
1 - What is the most valuable data that the organisation holds or alternatively put what information that if publicly exposed or compromised would be commercially damaging?
2 - Who has access to this information, where is it stored and is it currently protected?
3 - What external or internal threat could compromise the security of this data?
Naturally, the information assets for each organisation or department will differ. An internal workshop with the help of a consultant will help you determine prioritise your attention on the high-risk data assets.
Once you create a matrix based on the findings of the workshop or otherwise a threat modelling exercise will help determine the probability of various threats and the impact to the organisation if such a threat occurred. For example, threats could consist of spoofing of identity, data tampering, and denial of service, data loss and so on. The modelling exercise would then enable you to score each individual data category and help form the business case for investment in the required technology, processes and people to support your findings.
In summary, organisations often have limited resources to help them fight cybercrime so a risk-based approach make sense. In 2016, the cyber security intelligence index showed that 60% of all attacks were carried out by insiders. Three quarters were malicious intent and one quarter involved inadvertent actors.
Based on such findings it is clear that every organisation should consider a “zero trust” policy when it comes to internal security and the protection of information assets. With the majority of threats occurring on the inside organisations should focus their resources on identifying the most valuable company assets.
It is also important for information security offices not to get distracted by continuously chasing new tools when overlooking the basics such as proactively patching and maintaining systems that might otherwise make them vulnerable. Do not overlook people in your organisation, as they are the biggest threat, it is important to ensure that privileged access to information is monitored and that anomalies can be identified. Ensure that security processes and incident plans are place and followed.
Contact us to arrange a call with one of our Cyber Security experts who can advise on what your business needs to ensure you are cyber protected.