Enterprise information security risk management

Everyone knows that securing data is one of the biggest challenges facing businesses today. However, what they should and can do about it is often much less clear.

Declan Timmons, director of cybersecurity consulting at cloud specialists Ekco, said businesses face risks every day and business leaders are natural risk takers.

“For us, it’s consulting, really, and a lot of our consulting is about risk, asking ‘what technologies match the risk you have,’ and we’re the trusted cybersecurity partner for them as well,” said he declared.

“Our team is your business leaders’ trusted partner in cybersecurity and provides the interface between business and technology. We provide a full range of information security consulting services to our clients. Risk management is at the heart of every service we provide. We work with your business leaders to identify your key risks and recommend the most appropriate technologies to address those risks.”

However, the risk for businesses in terms of cybersecurity is out of this world. It’s not entirely new, however, and Timmons said we hear more about cyberattacks today, not only because of the higher stakes, but also because the legislative landscape has changed, often making reporting mandatory violations.

“Many years ago you [simply] may not have heard of the events. Data protection and especially GDPR have added a lot of reports,” he said.

What needs to be understood is that today’s cyberattacks are often the work of international criminal gangs, not yesterday’s cliché of teenage hackers just messing around.

” It’s a company. Money can be made in ransomware and there is less chance of getting caught compared to other criminal enterprises. It’s hard to even get the jurisdiction to prosecute,” Timmons said.

Go beyond IT

Every business has a limited budget, Timmons said, and so it’s crucial to use the risk portion of it effectively. The first step is to stop thinking of cybersecurity as just an IT problem.

“In the past, cybersecurity was an IT domain: the IT manager dealt with it in his spare time. But there is a conflict there because he wants to keep the systems operational. Likewise, the individual [IT manager] wouldn’t include the whole business, just IT. They might be managing IT risks but not seeing the big picture,” Timmons said.

This requires moving to a real risk management framework, he said.

“If I am the HR manager [and] I bring an HR system, then I have to be responsible for it. Effective risk management is central to all of this,” he said.

Achieving technical standards such as ISO 270001, and partnering with those who have them, will build confidence, but, again, Timmons said it needs to be broader than IT.

“Effective risk management is at the heart of any information security management system. For example, ISO 270001 on the IT side, and on the operational technology side, which is growing as a business, IEC 62443,” he said.

One size does not necessarily fit all, Timmons said, and the approach taken to risk management will very much depend on the nature of the business. There are two basic approaches, he said: the first is a top-down management approach, suitable for a mature business and an approach recommended by the Ekco team, while the second is a more bottom-up technology approach. suitable for a business or start-up.

“There you would look at the engineering controls, making sure everything is hardened to an appropriate standard such as CIS benchmarks as you build it,” he said.

In either case, when Ekco begins working with a client, it begins with a process to understand the company it is working with.

“You can’t protect something you don’t understand. What is the business model? What are the regulatory requirements? What are the compliance requirements? Then there are also legal requirements. After getting that big picture, we identify the main functions of the business: where do you make money or what can stop you,” he said.

If a business is focused on interaction via a website, a penetration test, or penetration test, will be first on the agenda. Next is the server hardware and the network devices accessing that server or, if the business is in the cloud, the connectivity and access around it.

People, process, and technology are all considered, including training, data protection, change management, and even questions like “do you have an asset list?” “. This is necessary because changes such as remote working mean that traditional methods no longer work.

“VPNs are no longer fit for purpose. We need to move to Zero Trust network access, where nothing is trusted and you have to provide credentials every time,” Timmons said.

On the positive side, companies have moved beyond tick box exercises, he said, realizing the time it takes to get back up and running after a breach can be more months than days.

“Now people are taking it seriously. An extreme event that focused the minds of many organizations was the HSE hack,” he said.

The goal is to build a culture of safety and mistrust, at least in safety, precisely because technology is not enough.

“The technology is very good and if you keep it patched and up to date that’s great, but if you have credentials you’ll still be able to get in. People are the weak point and social engineering plays into the good nature of people,” he said. .

Indeed, Timmons said the key is to use understanding of risk to take a much more holistic view of security in all its aspects.

“You hear about phishing and bill redirects, but there are other aspects to the attacks. This is why we opt for a structured approach. “Cyber” is electronic data protection, but information security also includes building security, paper and physical files, etc. In response to this, we recently developed Ethical Hacking as a Service (Managed Penetration Testing) which allows us to work with your business to deliver all of your annual cybersecurity testing, including social engineering, in one package. managed. This will reduce your team’s effort and lead to a more efficient testing program throughout the year. he said.

Martin E. Berry