Wednesday, January 15, 2025
Homecyber securityDoes My Business Need a Cyber Risk Management Strategy?

Does My Business Need a Cyber Risk Management Strategy?

Published on

It can be tempting to think that your company is safe because you’re invested in a tech platform that displays a smaller attack surface to the network. For instance, Macintosh users have claimed for years that they’re in a safer position than those who use most other operating systems. The recent switch to M1-type microprocessors was heralded as a further step forward that would make the platform even more secure, since these are based on the ARM architecture and therefore immune to the various security bugs that have plagued Intel’s chips in recent years.

Security researchers have now proven that it’s possible to spread malware via the Xcode environment to computers running macOS 11 on M1 processors. This has thrown a major curve ball to those who thought that their systems were safe because they weren’t Intel-based. No matter what kind of technology you’re using, there’s going to be some risk inherent in connecting it to a network. You’d only be truly safe if you never got information into or out of a machine.

Since few people would ever want to run a business like that, you’ll more than likely want to put at least some kind of mitigation strategy in place.

Types of Cyber Risk Management Strategies

The above example of security by obscurity is a valid strategy for an IT department to try, but even a company that’s pursuing it should still consider themselves at risk. A firm engaged in edge computing that uses all custom cloud apps could still theoretically have some kind of zero-day exploit that would remain undiscovered until, suddenly, a bad actor stumbled upon it while trying to gain access to their storage services. When that happens, there’s a good chance that they could execute arbitrary code.

Implementing foundational and organizational cyber security controls is vital when it comes to reducing your firm’s risk of falling prey to bad actors. According to a list of the top 20 CIS critical security controls, creating an active inventory of all of the physical hardware devices connected to a network is the most basic thing an IT department should do in order to mitigate the potential of cyber attack. This inventory needs to be regularly updated. If something seems amiss, then there’s a good chance that someone has unauthorized access to a network.

Only when this is complete should IT department staffers ever start to track software considerations. Virtualization has become a hot button issue in the last few years, and the massive growth of virtual private servers has started to diminish the importance of physical hardware. That being said, even the most sophisticated VPS has to run on something, so it’s important IT staffers take note of everything that’s connected to their organization’s network. Pay close attention to everyone who has physical access to your facilities, as well. Before you say that physical attacks are a thing of the past, consider the fact that at least one bad actor used a drone flight path to gain access to network printers.

Most of the other controls an organization should put in place are much less onerous than this, however, so you might not run into as much difficulty as you’d otherwise think.

Managing the Risk of Zero-day Vulnerabilities

So called 0-day exploits are among the most difficult for IT departments to contend with, because there’s always a strong possibility that all of the software a company is running could be compromised without anyone realizing it. The good news is that enforcing a policy of regular updates is enough to deal with even complex problems, like those related to the recent desktop window manager bug. A much bigger risk comes from individual users relying on their tech at work.

A bring your own tech policy can be really helpful, but you never know quite what your staffers might be doing with their machines outside of work. Few companies want to have to issue corporate devices to every single individual if they already have phones and laptops that they could be using at work, but you’ll want to put at least some sort of mitigation in place to deal with the added risk that comes with connecting a whole bunch of mobile devices to a single private network.

The most recent numbers anyone seems to have suggests that 65 percent of IT departments still haven’t automated their firewalls and another 38 percent continue to use ad hoc methods to report potential security issues. While you don’t have to incorporate the most faddish strategies around, you will want to keep abreast of any changes in the industry.

Most importantly, you’ll want to make sure that everyone else on your team gets a chance to communicate their issues. Including all of your business’ departments will help to keep everybody on the same page at all times.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

PriveShield – Advanced Privacy Protection with Browser Profile Isolation

A browser extension named PRIVESHIELD automatically creates isolated profiles to group websites based on...