Data-Driven Cyber Risk Assessment Can Bolster Business Continuity
Business continuity strategies were put to the test when millions of organizations across the world were suddenly forced to take their workforce to a fully remote environment in response to the COVID-19 pandemic. While many businesses have successfully adapted to these changes and sustained productivity, the remote work environment comes with increased cybersecurity risks.
While working remotely, many employees are using personal devices to conduct company business, are logging onto critical systems using vulnerable networks, and may not have installed critical security patches onto their devices. The technologies that make it easier for employees to collaborate and work efficiently also create new access points for would-be attackers.
The “new normal” requires a longer-term strategy that balances company objectives and greater cybersecurity risks to survive and thrive in uncertainty. Integrating a data-driven information security program has countless benefits for any business. Organizations can employ data analytics and visualization to inform their decisions and mitigate risks. Furthermore, security leaders can leverage this approach to communicate with executives and other key stakeholders.
Start with a detailed cybersecurity risk assessment
As organizations strive to execute their mission-critical strategies and manage uncertainty, they must also assess risks derived from increasing cybersecurity threats and mind compliance requirements.
The 2020 Verizon Data Breach Report indicates that misconfiguration errors are now more common than malware attacks – largely due to the increasing volume of internet-exposed storage, or cloud storage. Your company may have realized that employees were not as productive working remotely and decided to migrate file servers or applications to a cloud environment. Deploying to the cloud may improve efficiency in the short term, but the risks of misconfiguration can be substantial. Companies of all sizes need to establish the right controls to determine the risk of cloud servers being misconfigured and becoming vulnerabilities.
The cybersecurity risk assessment process requires companies to take inventory of their IT assets, incorporating their criticality and sensitivity to the organization. The assessment should detail the likelihood of a threat actor exploiting a vulnerability against a particular asset, and the potential impact of the incident on the organization.
Given the dispersed nature of the workforce because of the COVID-19 pandemic, it is more important than ever for the risk assessment process to be informed by actionable data.
A risk assessment informed by well-defined key performance and risk indicators can be used to communicate the value proposition of cybersecurity to stakeholders and decision-makers. Security leaders can use business intelligence (BI) dashboards, data visualizations, and risk assessments as communication tools with management, linking decisions to strategic objectives, identifying trends, and measuring outcomes. BI tools are specifically designed to prepare, analyze and generate interactive visuals that can help communicate the value of a project and identify areas for further analysis, including potential risks and opportunities.
Organize data – visual results are easier to communicate
A well-designed information security program, informed by data, should integrate into the risk assessment process and overall business strategy.
In a remote working environment, a great deal of detail and complexity goes into gathering the data that flows through organizations via employee home Wi-Fi connections, personal devices, and the internet of things (IoT). Too often, an organization’s IT security leader (CSO or CISO) is presented with either too much or too little data, which makes it challenging to identify useful insights.
Cybersecurity professionals need to consolidate and manage IT-related data to gain analytical insight more easily, improve security and performance, and communicate the impact of key metrics to management. If company leaders do not fully understand why cybersecurity measures are important to the business, it will be difficult to secure the buy-in necessary to obtain funding for cybersecurity initiatives, which could expose the business to significant risk.
Companies can use specialized software to compile information from various sources and generate data visualizations, making it easier to aggregate and analyze data sets. Data visualizations such as histograms, line charts, pie charts, scatter graphs and performance gauges, among others, are designed to capture the readers’ attention, trigger an action when important trends are identified, and measure whether goals are achieved. These BI tools can help management identify opportunities for improvement.
Using visuals designed to identify and clearly highlight specific risk scenarios, CISOs and CSOs can empower management to understand the benefits of implementing a particular technology solution, weighed against any relevant risks.
Is your business exposed?
Many CISOs would have a major cause for concern if a penetration test uncovered the following:
- Significant number of high-risk network vulnerabilities – These may derive from a large number of remote employees connecting to the company network via unsecured Wi-Fi connections.
- Critical security patches have not been installed on employee laptops for more than six months – When employees use personal devices to conduct business, the organization has no oversight of those devices’ setup, which may not include proper encryption or the latest version of an operating system.
- Antivirus definitions are not configured to automatically update – Employee laptops that have out-of-date antivirus definitions may be vulnerable to known malware attacks, which could go undetected and may be exploited by an attacker.
- Spike in the number of new privileged accounts – An attacker who has gained access to a vulnerable endpoint using a misconfiguration error might find other vulnerabilities that are only accessible from inside the network. The attacker may use the vulnerability to elevate their permissions and create privileged accounts designed to discreetly exfiltrate company data.
- Critical systems that do not require multi-factor authentication for access – User accounts should be protected using multifactor authentication throughout the organization, especially on those accounts that provide access to critical applications with customer data. Attackers could use stolen credentials to gain access to user accounts.
- Poor phishing testing results – When was the last time you phished your own employees? Their performance on a phishing risk assessment can provide useful insight to determine whether additional training should be offered, or if it’s time to invest in additional security measures.
A properly implemented cybersecurity dashboard could reveal trends in the data, providing security leaders with a clear, objective way to evaluate relevant risks on a regular basis. This dashboard can also make it easier for CSOs and CISOs to communicate results to business leaders and recommend where to focus the organization’s resources and budget.
Impact is everything – data-driven decisions save time and money
Utilizing cybersecurity best practices and frameworks as a guide, IT leaders can structure their information security program to measure and track a variety of metrics. These metrics may include a mix of operational and cybersecurity statistics, comprising a data strategy that can be integrated into the business to inform the risk assessment process.
By gaining an understanding of the key performance indicators (KPIs) and key risk indicators (KRIs) affecting cybersecurity, an organization can quantify how an information security program is performing and gain actionable insight into threats and vulnerabilities.
Companies are increasingly reliant on third parties to provide contracted labor, cloud services, software as a service (SaaS) platforms, and artificial intelligence (AI) solutions. While these services may provide benefits to allow the organization to operate remotely and focus on its core business, they could potentially increase or introduce new risks.
For example, a chatbot provider with access to more data or more permission than it requires might make serious mistakes, which can result in an embarrassing situation for the company. Microsoft’s chatbot reportedly “made a racist error while aggregating another outlet’s reporting, got called out for doing so, and then elevated the coverage of its own outing.”
Security professionals need to be able to communicate the ultimate business value of cybersecurity solutions using tangible data. Tracking performance metrics, such as the average time to deploy patches, percentage of systems with outdated antivirus definitions, and the number of emergency changes, can help provide insight into why an organization should invest in cybersecurity measures and which measures should be prioritized.
Believe in the process – digital transformation requires commitment
A well-implemented and designed cybersecurity data strategy requires a detailed process. Good decisions come from learning and a commitment to refine the decision-making process.
As global digital transformation progresses and remote work becomes the norm for more businesses, tools that were previously out of reach for many organizations have now become increasingly accessible and viable.
CSOs and CISOs who are developing a strategy for the “new normal” should balance overall business objectives with the need to mitigate increasing cybersecurity risks. A data-driven approach that aligns with information security can enable organizations to employ powerful data analytics and visualizations to inform their decisions, guide the implementation of systems and processes, and help them mitigate risks.
Security leaders can use advanced BI tools to aggregate data from a vast array of sources, linking key metrics to business goals and solidifying the partnership between the organization and its IT stakeholders.
Securing support for security initiatives is crucial at a time when threats are more persistent than ever, and remote working environments have introduced new risks and vulnerabilities.
Daniel Rosenberg, CISA, CPA, is a Cybersecurity & Compliance Director at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.