IT Risk Management: Are You Ready to Go All-In?

Whether your company is about to launch a new product, align production, or define next year’s budget, you’ll use risk management techniques to identify the potential weaknesses that may be caused by your next investments.

IT risk management is now a mature field, with numerous guidelines and frameworks such as ISO 31000, Porter’ Five Forces analysis, or the Ansoff Matrix. These tools allow you to evaluate the risk of an investment and provide a framework to anticipate and address potential business disruptions. Investing in the wrong project can have significant negative impacts on business, but with the right planning in place recovery is always possible.

Without investing in IT security, however, you can no longer afford to make mistakes.

As extreme as this may sound, this is a reality. A survey commissioned by the US National Cyber Security Alliance (NCSA) shows that in 2019, when a full 28% of SMBs experienced a data breach, 25% filed for bankruptcy

With  that knowledge, do you feel confident in going all-in on business planning, without implementing adequate security risk mitigation for your IT infrastructure?

Understanding IT Security Risk Management

Gaining an understanding cyber exposure is critical to maintaining your activity, and can be a monumental task. Fortunately, you’re not on your own: states, industries, and national organizations provide regulations and frameworks to help clarify business obligations and protect the operations of your company.

Many frameworks provide guidance and best practices for tackling IT risks. Commonly referenced regulatory standards include the ISO 27001, IEC 62443 and the NIST framework.

A recurring requirement amongst these IT security standards is to reduce the attack surface of your IT infrastructure, namely by controlling and protecting privileged accounts. That is, managing access privileges of “super-admin” accounts with elevated permissions to administer, modify, or otherwise access your most sensitive IT systems, data, and resources.

Privileged users are a perpetual risk of exposure

Privileged accounts are at the top of the list of IT risks. They constitute an ideal choice of target for those with malicious intentions, since with a single account, an attacker gains the ability to extract, tamper with, or encrypt critical data, or to infiltrate more deeply into your infrastructure and operations.

A basic understanding of the risks will allow you to deploy the appropriate tools to protect your privileged accounts.

Remote workers or third-party maintainers managing your critical infrastructure expose your network to a host of new risks. When connecting into IT assets from outside the corporate network, remote users may have elevated privileges to operate your critical systems. And yet they…

  • Do not benefit from your network’s perimetric protection
  • Are not physically visible and you therefore cannot guarantee their identity
  • Might connect from uncontrolled or vulnerable endpoints

Trust No One

Though it may sound harsh at first, you should never automatically trust privileged users. You’d be a fool to think that internal users are inherently more trustworthy, technically speaking, than external users.

  • Humans are fallible: Employees with elevated privileges can always make mistakes and launch the wrong command on the wrong critical system.
  • Many employees are susceptible to sophisticated scams and may fall for elaborate phishing attempts
  • Employee revenge does, sadly, exist

Mitigating Risks for Privileged Accounts: A Simple Solution

Protecting privileged users and, most especially, privileged access helps you to drastically reduce the risk of your infrastructure being compromised. A well thought-out policy for protecting privileged access must include the following mechanisms:

Perimetric protection for critical infrastructure

Above all, isolating your critical assets and securing access to them is essential. A Privileged Access Management (PAM) solution provides a range of important capabilities such that once assets are isolated, you can grant secured and controlled access as and when needed. And you can ensure that only the right person can access the right system for the right reason – no more uncontrolled, over-privileged users.

Managing Identities

To mitigate risks linked to remote user accountability and identity management (that is, verification), access management solutions can provide several additional capabilities:

  • A web portal to enable secure remote access reduces your infrastructure’s attack surface while facilitating external user access.
  • Integrating an Identity-as-a-Service (IDaaS) solution offers contextual security options to adapt authentication as needed to ensure user identity based on location and other factors.

Principle Of Least Privilege

An efficient way to ensure that a user with privileges can’t harm your infrastructure, is simply to… remove the privileges. However, this kind of drastic measure is likely to have a significant impact on users and productivity if they’re suddenly no longer able to access key resources to do their jobs. Implementing a policy which follows the Principle of Least Privilege, for example with an endpoint privileged management solution, can both restrict access privileges to the minimum and facilitate work efficiency. This way, only the right privilege is granted to the user at the right time for the right action.

Well-Thought Out Security: No Need to Go All-In

Business is always risky, by its very nature. Optimizing production, selecting equipment, defining budget… it’s all a matter of making well-informed, calculated decisions in order to best position the organization to succeed and minimize losses. IT risk management is no different; when well-planned and with the right protections in place, your business is set up to win.