Privileged Access Management, Remote Access, Risk Management

IT Risk Management: Are You Ready to Go All-In?

Whether your company is about to launch a new product, align production, or define next year’s budget, you’ll use risk management techniques to identify the potential weaknesses that may be caused by your next investments.

IT risk management is now a mature field, with numerous guidelines and frameworks such as ISO 31000, Porter’ Five Forces analysis, or the Ansoff Matrix. These tools allow you to evaluate the risk of an investment and provide a framework to anticipate and address potential business disruptions. Investing in the wrong project can have significant negative impacts on business, but with the right planning in place, recovery is always possible.

Without investing in IT security, however, you can no longer afford to make mistakes.

As extreme as this may sound, this is a reality. A survey commissioned by the US National Cyber Security Alliance (NCSA) shows that in 2019, when a full 28% of SMBs experienced a data breach, 25% filed for bankruptcy

With that knowledge, do you feel confident in going all-in on business planning, without implementing adequate security risk mitigation for your IT infrastructure?

Understanding IT Security Risk Management

Gaining an understanding cyber exposure is critical to maintaining your activity, and can be a monumental task. Fortunately, you’re not on your own: states, industries, and national organizations provide regulations and frameworks to help clarify business obligations and protect the operations of your company.

Many frameworks provide guidance and best practices for tackling IT risks. Commonly referenced regulatory standards include the ISO 27001, IEC 62443, and the NIST framework.

A recurring requirement amongst these IT security standards is to reduce the attack surface of your IT infrastructure, namely by controlling and protecting privileged accounts. That is, managing access privileges of “super-admin” accounts with elevated permissions to administer, modify, or otherwise access your most sensitive IT systems, data, and resources.

Privileged users are a perpetual risk of exposure

Privileged accounts are at the top of the list of IT risks. They constitute an ideal choice of target for those with malicious intentions, since, with a single account, an attacker gains the ability to extract, tamper with, or encrypt critical data, or to infiltrate more deeply into your infrastructure and operations.

A basic understanding of the risks will allow you to deploy the appropriate tools to protect your privileged accounts.

Your first concern: Remote Access

Remote workers or third-party maintainers managing your critical infrastructure expose your network to a host of new risks. When connecting to IT assets from outside the corporate network, remote users may have elevated privileges to operate your critical systems. And yet they…

Do not benefit from your network’s perimetric protection
Are not physically visible and you, therefore, cannot guarantee their identity
Might connect from uncontrolled or vulnerable endpoints

Trust No One

Though it may sound harsh at first, you should never automatically trust privileged users. You’d be a fool to think that internal users are inherently more trustworthy, technically speaking than external users.

Humans are fallible: Employees with elevated privileges can always make mistakes and launch the wrong command on the wrong critical system.
Many employees are susceptible to sophisticated scams and may fall for elaborate phishing attempts
Employee revenge does, sadly, exist

Mitigating Risks for Privileged Accounts: A Simple Solution

Protecting privileged users and, most especially, privileged access helps you to drastically reduce the risk of your infrastructure being compromised. A well-thought-out policy for protecting privileged access must include the following mechanisms:

Perimetric protection for critical infrastructure

Above all, isolating your critical assets and securing access to them is essential. A Privileged Access Management (PAM) solution provides a range of important capabilities such that once assets are isolated, you can grant secured and controlled access as and when needed. And you can ensure that only the right person can access the right system for the right reason – no more uncontrolled, over-privileged users.

Managing Identities

To mitigate risks linked to remote user accountability and identity management (that is, verification), access management solutions can provide several additional capabilities:

A web portal to enable secure remote access reduces your infrastructure’s attack surface while facilitating external user access.
Integrating an Identity-as-a-Service (IDaaS) solution offers contextual security options to adapt authentication as needed to ensure user identity based on location and other factors.

Principle Of Least Privilege

An efficient way to ensure that a user with privileges can’t harm your infrastructure is simply to… remove the privileges. However, this kind of drastic measure is likely to have a significant impact on users and productivity if they’re suddenly no longer able to access key resources to do their jobs. Implementing a policy that follows the Principle of Least Privilege, for example with an endpoint privileged management solution, can both restrict access privileges to the minimum and facilitate work efficiency. This way, only the right privilege is granted to the user at the right time for the right action.

Well-Thought Out Security: No Need to Go All-In

Business is always risky, by its very nature. Optimizing production, selecting equipment, defining budget… it’s all a matter of making well-informed, calculated decisions in order to best position the organization to succeed and minimize losses. IT risk management is no different; when well-planned and with the right protections in place, your business is set up to win.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

IT Risk Management: Are You Ready to Go All-In?

Understanding IT Security Risk Management

Privileged users are a perpetual risk of exposure

Trust No One

Mitigating Risks for Privileged Accounts: A Simple Solution

Perimetric protection for critical infrastructure

Managing Identities

Principle Of Least Privilege

Well-Thought Out Security: No Need to Go All-In

Balancing BYOD risk with Privileged Access Management

Healthcare Cybersecurity: Why PAM Should Be a Priority

Related Blogs

Related Resources

Products

Solutions

Resources

About