There is a tendency for many to overestimate the IT departments of enterprises. These departments are usually expected to be meticulous and highly proficient at securing their organization’s IT resources. However, many of them inevitably commit mistakes or omissions as they implement their cybersecurity strategies.
It is not extraordinary for big companies to have cybersecurity issues, although this should not be the norm. Some problems emerge because of organizational changes, especially in cases when two companies with different IT cultures go into a merger or consolidation. Others have no choice but to compromise in some areas because of limited resources.
Here are five must-dos for effective IT risk management.
Employee cybersecurity training or awareness campaigns
Many would probably think this is SOP for enterprises, but the reality is that employee training for cybersecurity is not as common as it should be. One survey shows that a big majority of small and medium enterprises, at 62 percent, do not provide any cybersecurity training at all. Also, around a third of enterprises that employ remote workers do not provide cybersecurity training even though they allow many of these teleworkers access to critical data.
Also, it does not help that a significant number of employees are not convinced that they have a role to play in cybersecurity. One report shows that 30 percent of employees believe they are not involved in the security posture of their respective organizations. Of those who have participated in cybersecurity training, only around half say that it has been helpful.
There is no doubt that cybersecurity training is important in the face of more aggressive cyber attacks and highly sophisticated threats powered by artificial intelligence. IT risk management significantly benefits from cybersecurity training, especially in the field of enterprise data security where the complexity keeps increasing as organizations adopt new technologies and changes in their IT infrastructure. It is important to optimize end-to-end security, establish a data-driven protection value chain, and improve agility in dealing with threats. These are foreign concepts beyond the IT or cybersecurity department, so it is a must to provide the right training to others in an organization.
Continuous attack surface identification, vulnerability assessment, and security validation
Periodic examinations of security controls, potential attack surfaces, and vulnerabilities no longer suffice. Cybersecurity solutions have indeed improved over the years, but this has also made threat actors more relentless and ingenious with their attacks. They know they have serious challenges to conquer, so they become more persistent in trying to defeat cyber defenses. If their attack fails, they can quickly come up with new variants or iterations of their attacks until they manage to skirt security controls.
Leveraging new technologies, especially AI, has allowed cybercriminals to churn out malware and complex attacks at a rapid pace not many organizations can keep up with. Windows of opportunity for attacks keep popping up because organizations fail to spot and remediate vulnerabilities promptly. It is nearly impossible to promptly detect and address security weaknesses without adopting continuous security validation and vulnerability scans.
Robust Third-Party Risk Management
Many enterprises maintain complex supply chains for their software, data, and online service needs. Most businesses do not produce their own software or web services, so they rely on third-party providers. While this has been an efficient system, it inevitably expands cyber risk factors and attack surfaces.
In software supply chains, for example, the software updates may be hijacked by threat actors, pushing malicious software into an organization’s network or sending out probing attacks to determine exploitable vulnerabilities. One example of this was the SolarWinds attack in 2019, which infected over 18,000 systems globally and resulted in damages worth billions of dollars.
As this high-profile attack proved, even the biggest enterprises can fail when it comes to third-party risk management. Enterprises tend to rely too much on the reputation of their third-party providers. Some have strict cybersecurity rules and policy enforcement, but they fail to take into account that third-party software components, online services, and data transmissions should also be meticulously overseen to ensure robust cybersecurity.
Business continuity or disaster recovery planning
A study on disaster readiness and recovery shows that only 54 percent of organizations have a documented disaster recovery plan (for the entire organization) in place. This should be a cause for alarm, given that the same study shows that around 73 percent of the respondents said that they suffered failures and outages at some point. The most common failures encountered were networking problems, unavailability of services, data integrity issues, failing or degrading app performance, and missing critical workloads.
Most modern organizations are prone to cyber attacks that can impact most of their operations. A ransomware attack, for example, can cause business activities to grind to a halt. It appears not a big majority of organizations are planning their way out of such a situation. Disaster recovery or business continuity planning is a must. It should clearly outline what an organization will do to address disruption in its operations, including the roles and responsibilities of those involved in managing the situation, the specific steps to be undertaken, and communication processes to coordinate efforts.
Disaster recovery plan testing
In connection to business continuity planning, many organizations also tend to not test their plans. Planning is not everything, and untested plans are as good as not having any at all. As such, it bears emphasizing that organizations need to make sure that their plans work.
The same disaster recovery study cited above shows that, among those that said they have disaster recovery plans, only 50 percent have undertaken plan testing or encountered an actual disaster that put their plans to the test. The reported frequency of recovery plan tests is also quite low, with 50 percent of the respondents saying that they conduct tests only once a year at most. Additionally, none of the respondents said that they have completely or moderately completed their disaster recovery plan tests.
The ceaseless changes in the cyber threat landscape make it more urgent for organizations to take IT risk management seriously. It is crucial to provide adequate cybersecurity training, conduct continuous threat monitoring, address third-party risks, come up with business continuity plans, and test the said plans. It is not mischaracterization to say that most organizations acknowledge the need to be proactive in dealing with IT risks. However, it is easy to miss some steps or fail to do crucial risk management actions because of complexities, inadequate expertise and experience, lack of resources, and other reasons. The vital IT risk management must-dos described above should be a good starting point to address the problem.