Thursday, March 28, 2024

Does My Business Need a Cyber Risk Management Strategy?

It can be tempting to think that your company is safe because you’re invested in a tech platform that displays a smaller attack surface to the network. For instance, Macintosh users have claimed for years that they’re in a safer position than those who use most other operating systems. The recent switch to M1-type microprocessors was heralded as a further step forward that would make the platform even more secure, since these are based on the ARM architecture and therefore immune to the various security bugs that have plagued Intel’s chips in recent years.

Security researchers have now proven that it’s possible to spread malware via the Xcode environment to computers running macOS 11 on M1 processors. This has thrown a major curve ball to those who thought that their systems were safe because they weren’t Intel-based. No matter what kind of technology you’re using, there’s going to be some risk inherent in connecting it to a network. You’d only be truly safe if you never got information into or out of a machine.

Since few people would ever want to run a business like that, you’ll more than likely want to put at least some kind of mitigation strategy in place.

Types of Cyber Risk Management Strategies

The above example of security by obscurity is a valid strategy for an IT department to try, but even a company that’s pursuing it should still consider themselves at risk. A firm engaged in edge computing that uses all custom cloud apps could still theoretically have some kind of zero-day exploit that would remain undiscovered until, suddenly, a bad actor stumbled upon it while trying to gain access to their storage services. When that happens, there’s a good chance that they could execute arbitrary code.

Implementing foundational and organizational cyber security controls is vital when it comes to reducing your firm’s risk of falling prey to bad actors. According to a list of the top 20 CIS critical security controls, creating an active inventory of all of the physical hardware devices connected to a network is the most basic thing an IT department should do in order to mitigate the potential of cyber attack. This inventory needs to be regularly updated. If something seems amiss, then there’s a good chance that someone has unauthorized access to a network.

Only when this is complete should IT department staffers ever start to track software considerations. Virtualization has become a hot button issue in the last few years, and the massive growth of virtual private servers has started to diminish the importance of physical hardware. That being said, even the most sophisticated VPS has to run on something, so it’s important IT staffers take note of everything that’s connected to their organization’s network. Pay close attention to everyone who has physical access to your facilities, as well. Before you say that physical attacks are a thing of the past, consider the fact that at least one bad actor used a drone flight path to gain access to network printers.

Most of the other controls an organization should put in place are much less onerous than this, however, so you might not run into as much difficulty as you’d otherwise think.

Managing the Risk of Zero-day Vulnerabilities

So called 0-day exploits are among the most difficult for IT departments to contend with, because there’s always a strong possibility that all of the software a company is running could be compromised without anyone realizing it. The good news is that enforcing a policy of regular updates is enough to deal with even complex problems, like those related to the recent desktop window manager bug. A much bigger risk comes from individual users relying on their tech at work.

A bring your own tech policy can be really helpful, but you never know quite what your staffers might be doing with their machines outside of work. Few companies want to have to issue corporate devices to every single individual if they already have phones and laptops that they could be using at work, but you’ll want to put at least some sort of mitigation in place to deal with the added risk that comes with connecting a whole bunch of mobile devices to a single private network.

The most recent numbers anyone seems to have suggests that 65 percent of IT departments still haven’t automated their firewalls and another 38 percent continue to use ad hoc methods to report potential security issues. While you don’t have to incorporate the most faddish strategies around, you will want to keep abreast of any changes in the industry.

Most importantly, you’ll want to make sure that everyone else on your team gets a chance to communicate their issues. Including all of your business’ departments will help to keep everybody on the same page at all times.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles