NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!
 
 

How to Keep Your Cyber Risk Under Control

Businesses today cannot be separated from their digital assets. Data drives every aspect of business, from strategic decisions to tactical operations, and all that data is stored in, accessed by,  and transmitted across networked systems. For example, let’s imagine a local cupcake bakery that runs a small storefront. The owner does the lion’s share of the baking and selling but has a few part-time assistants who help with operations.

To start, the business orders supplies online so that the bakers can focus on baking and selling tasty treats instead of fetching flour, eggs and pans. Tracking and processing sales are done through a retail-specific SaaS database. Custom orders and deliveries are scheduled via an online calendar and bank accounts are set up to disburse and receive electronic payments. Chances are the bakery has a website and uses online channels for marketing, even if e-commerce is not configured. 

The point is that even for very small businesses, networking can’t be disconnected from day-to-day operations. The amount of connected technology and data only grows as the business does, and with every piece of tech and every megabyte of data added, the cyber risk rises. Certainly, a small-town baker may not be thinking about the security and privacy risks of their customers’ data in the same way a national restaurant chain would, but they still bear responsibility and liability. Running any business is a risk and cybersecurity must be factored into the equation.

Cyber risk is not a static measure, needless to say. New threats and vulnerabilities arise every day, changing what’s at risk and by how much. For instance, an executive who is traveling might connect their mobile phone — the same one used to access sensitive company files — to airport WiFi. The marketing team might make an unannounced purchase of automation technology into which they upload the entirety of the business’ customer records. A new vulnerability could be found in what seems to be perfectly fine software/hardware. 

In other words, the amount of risk a company has can change on a dime. A one-time snapshot of risk is not sufficient to protect the business from compromise or breach. And while smaller businesses may have fewer cyber criminals targeting them than do larger organizations, it’s also true that larger organizations with more valuable information are likely to have greater access to security resources, which changes risk measures.


Stay on the cutting edge. Subscribe to our blog.


How to start your cyber risk assessment

A good starting point in assessing risk is to identify key assets: What data do you have that criminals might want? What systems are used to store/process/access that data? Who has access to them? Larger and more complex organizations will need to conduct more sophisticated asset inventories, at greater scale, of how systems, services and applications are communicating across their networks, and what security controls protect them. 

The results of an asset inventory will help those responsible for security and risk understand what’s in scope and what needs to be prioritized. Prioritization is different for every business, based on its individual risk tolerance as well as the type of data and systems it manages and applicable privacy and cybersecurity regulations. What’s more, this entire process is not a one-time project; asset assessments must be continuous to reflect the current state of the organization, taking into account new data and technology added to the ecosystem that put the organization at greater or lesser risk.

Test your controls

For smaller businesses, testing security controls is probably outsourced to providers, though it’s important to remember that outsourcing management of security does not equal outsourcing responsibility for security. For enterprises with security and infrastructure teams, ongoing testing of controls to ensure they’re working as desired is necessary. “As desired,” though, is unique from organization to organization, based on risk tolerance. Often, stricter security controls affect performance and accessibility. Therefore, the organization might make a risk decision to place less-stringent requirements for access and use onto less-sensitive assets.

What’s more, both security control settings and risk tolerance are adaptive. What is appropriate or acceptable one day or month may not be acceptable the next, because, as mentioned previously, things change all the time. New data is added to the company’s systems. Employees join and leave the organization. New technologies and applications are deployed; sometimes these ship with vulnerabilities and sometimes vulnerabilities arise while they’re in production. And the list of risks only grows from here, so security best practices requires a constant OODA loop: observe, orient, decide, act. Importantly, while the company is in the first three stages of the loop, security and infrastructure teams can’t neglect action. Data and systems must be protected from threats at every stage. This is why the security of the modern enterprise is so tricky to manage and why organizations must operate in shades of risk.

Invest in people, processes, and technology

There is no shortage of security technologies, but simply purchasing a supposed cutting-edge solution is not the answer to “how do I protect my assets and mitigate risk?” That said, no company — big or small — can exist in today’s cyber threat climate without tools that prevent, detect, and stop threats. This is why it is important for any company evaluating a security solution to understand how the provider-partner addresses adaptive risk. Static security controls don’t match the dynamism of today’s business needs. Tools that require extensive amounts of hands-on, manual management and oversight aren’t realistic given the volume of work infrastructure teams have in merely keeping systems operational

Instead, businesses should look for security provider-partners that:

  • Temper cyber risk through adaptive security controls that work across environments (cloud, on-premises, containers); 
  • Use automation and machine learning to ensure that controls are appropriate for the amount and type of security desired by each individual customer; and
  • Scale easily alongside the business, eliminating the arduous deployment and on-boarding schedules of many traditional security solutions.

When new security solutions are implemented, make sure to invest in skills development and awareness. The people managing the technology must understand its capabilities and governance requirements; even best-of-breed products take a moment or two to learn. A little upfront training on proper use of the technology will go a long way toward reducing risk down the road. People and processes are critical risk factors, so don’t overlook the importance of training.

Conclusion

As a business evolves, it should not have to assume preventable risk due to security controls that have to be manually configured, adapted to new environments, and take too long to deploy, all of which introduces unnecessary vulnerabilities. No business regardless of size is free from cyber threats, and all organizations should be able to take advantage of modern technology to run their business without adding avoidable risk. Keep your cyber risk under control with:

  • Ongoing asset inventories that help determine what assets you have and how to prioritize protection; 
  • Security controls that reflect the needs of the business. Controls must be tested to ensure they’re functioning as desired;
  • Adaptive security solutions and processes that can grow alongside your business; and
  • Trained, skilled staff who have command over the environment and can make risk-based business decisions using best-of-breed cybersecurity technology.

Interested in learning how Edgewise can help your organization automate, simplify, harden and scale security? Sign up for a demo today.

Dan Perkins, Director of Products & Solutions

Written by Dan Perkins, Director of Products & Solutions

Dan Perkins is Director of Products and Solutions for Edgewise Networks, where he oversees the direction and development of Edgewise’s zero trust platform. Prior to Edgewise, Dan was Director of Product Management at Infinio, where he was responsible for product vision and the ongoing quality and applicability of Infinio’s solution. He also previously served in several software engineering and quality assurance roles for Citrix. Dan holds a B.S. in computer engineering from Northeastern University.