• How to establish cyber strategy in the face of growing threats

The five top tips to reassess your IT security risk

February 2023

According to Growth Intelligence over 85,000 online businesses were launched during the first lockdown in the UK – a phenomenal figure. For some it was a move to seek out new or expand existing revenue channels in light of the countless redundancies the pandemic had caused. For others, it was a golden opportunity to pursue a new career or launch a new product or service ripe for a remote audience.

Many of these were small businesses which perhaps had never traded online before, or certainly not in a sizeable manner. By scaling, and most likely unwittingly, these businesses have opened up new attack surfaces, rendering themselves more vulnerable to cyber-attacks. Where a breach at a larger organisation might be seen as involving a hefty fine and considerable reputational damage, for a small business it can be the nail in the coffin as they often do not have the economic means in their pocket to support a period of disruption. This was also evident in a recent research which found that nearly a quarter of UK small and medium-sized enterprises would likely go out of business if they would have to pay the cost of an average cyberattack.

So how at risk are smaller businesses? It is well documented that 43% of all data breaches involve SMBs. These businesses often take the time in the year to review their spend, and this should also be coupled with a review of security protocols and IT risk management. Businesses need to look at their investment and ensure that any risks are mitigated, giving them an added safety net and peace of mind. IT risk management is now a very mature field and there are numerous guidelines and frameworks such as ISO 31000, Porter’ Five Forces analysis, or the Ansoff Matrix. These tools allow businesses to evaluate the risk of an investment and provide a framework to anticipate and address potential business disruptions. Investing in the wrong project can have significant negative impacts on business, but with the right planning in place, recovery is (nearly) always possible.

Without investing in IT security and understanding risk management, businesses cannot afford to make any mistakes. But with the complexity of modern business environments, it is impossible to not make mistakes. Therefore, as we start to see both new and existing businesses emerge from the pandemic, it is important that, businesses implement new working policies and take the time to think about how confident they really are when it comes to business planning. They also need to be asking themselves if they have a continuity plan in place.

Below are 5 top tips that will make implementing an IT security risk strategy successful and remove what might feel like an IT headache as many businesses embark on a new journey.

1. Understand IT Management

The first thing on the agenda should be to increase understanding about cyber exposure. Finding out where the risks are is critical to maintaining activity, but it can be a monumental task. Fortunately, industry and national organisations provide regulations and frameworks to help clarify business obligations and protect company operations. Commonly referenced regulatory standards include the ISO 27001, IEC 62443 and the NIST frameworks.

2. Reduce the attack surface of your IT infrastructure

Controlling and protecting privileged accounts should also be at the top of a list of IT risks. These accounts constitute an ideal choice of target for those with malicious intentions, since with a single account, an attacker can gain the ability to extract, tamper with, or encrypt critical data, or to infiltrate more deeply into infrastructure and operations. A basic understanding of the risks will allow to deploy the appropriate tools to protect privileged accounts.

3. Consider your remote access strategy

Remote workers or third-party maintainers managing critical infrastructure can expose a company network to a range of new risks. When connecting into IT assets from outside the corporate network, remote users may have elevated privileges to operate critical systems. And yet they don’t benefit from a network’s perimetric protection. As these employees are not physically visible, this adds the additional challenge that cannot guarantee their identity – which means they might connect from uncontrolled or vulnerable endpoints. Identifying these dangers is a crucial part of a security risk strategy.

4. Apply the Principle of Least Privilege

An efficient way to ensure that a user with privileges can’t harm an infrastructure, is simply to remove the privileges. But this is a drastic measure and likely to have a significant impact on users and productivity if they’re suddenly no longer able to access key resources to do their jobs. A policy which applies the principle of least privilege with an endpoint privileged management solution for example, will restrict access privileges to the minimum and facilitate work efficiency. This way, only the right privilege is granted to the user at the right time for the right action.

5. Trust no-one

It might sound harsh at first, but you should never automatically trust even privileged users. You’d be a fool to think that internal users are inherently more trustworthy, technically speaking, than external users. Remember – all humans are fallible and even employees with elevated privileges can make mistakes and launch the wrong command on the wrong critical system. Employees are also susceptible to sophisticated scams and may fall for elaborate phishing attempts. And, sadly, never forget that employee revenge does exist.

By addressing risk organisations can set up to win

Business is always risky, by its very nature. Optimising production, selecting the best equipment, defining budgets… business is all about making well-informed, calculated decisions in order to succeed and minimise losses. IT risk management is no different. When well-planned and with the right protections in place, the business is set up to win.

With small businesses more vulnerable to cyber-attacks and the consequences of such incidents potentially being fatal, investing in a strong IT risk management strategy is absolutely critical – in fact, the sooner the better. Protecting privileged users and, most especially, privileged access must be a core component of this. In putting adequate measures into place, businesses will dramatically reduce the risk of their infrastructure being compromised. Get ahead of the game. Start planning out your strategy now – including a budget to execute on it – and implement a well-thought-out policy for protecting your business. It will pay dividends.