One of the most important goals of IT Security, perhaps the most important goal, is to reduce risk. Generally, when we think of IT Security and Cyber Risk, we think of hackers and/or a breach, however, a security breach is just one risk element. Cyber risk includes the risk of financial loss, disruption to business, or damage to the reputation of an organization due to some sort of failure of its information technology systems. It can also come from many different sources, such as environmental factors, under-staffing, under-funding, lack of processes and procedures, misaligned processes and policies, equipment failure, and breaches. Being able to fully understand what risk is present and determine the best way to mitigate that risk is a significant challenge to any organization. This often leads to a security solution compounding your risk, rather than mitigating it. Here are two common ways we’ve seen security solutions increase an organization’s risk.
The first situation we frequently come across during our security engagements is where an organization has all the right tools to address their threat, but not enough trained staff to manage those tools. This under-staffing results in compounding the organization’s risk because now the tools may not be properly secured. It could even be that funding to hire support staff for the tool may not have been considered when it was originally purchased, as is frequently the case.
Another situation we’ve seen is where the security tool implemented isn’t aligned to the actual threat. Now, that sounds silly reading it, but it’s more common than you’d think. One such case involved a community college who deployed an extensive firewall solution. As it turned out, the biggest threat Walters State Community College faced was ransomware, which easily circumvents a firewall. In this case, the solution, though it improved security, wasn’t the right fit and resulted in increased risk by providing a false sense of security.
To fix this problem, we assessed the existing security infrastructure. This allowed IE and Walters State to explore a more holistic solution that would enable their IT team to quickly identify and contain malware and phishing threats, thus minimizing their overall risk. Immediately, Walters State saw results when the solution went live because they now had a more defined security posture, a simplified security landscape, and enhanced insight into threats to their system.
Security solutions should be well-aligned and supported to minimize an organization’s overall risk, but too often the solution compounds risk, through no fault of the actual technology. This compounded risk muddies an already complicated issue to resolve, leaving many organizations and security teams to feel overwhelmed. The best way to sift through these murky waters, provide clarity to the situation at hand, and create a path to reducing risk and improving your security posture is through a risk assessment. Risk assessments, as part of a risk management program, ensure your team has a comprehensive understanding of your risk and knows how best to address it. If you’d like to know more about IE’s Risk Assessment, or how we can help increase your security posture, contact our Security Team today.
Click here to read more about how IE and Walters State improved the college’s security posture with Cisco technology.
About the Author:
Jason Smith is an IT Security and Compliance Consultant at Internetwork Engineering. Jason has several years of experience in IT, IT Security, and Compliance. He has worked in retail, government contracting, telecom, state and local government, and banking to ensure secure and compliant environments. Jason is a graduate of Western Carolina University (BS – Criminal Justice) and East Carolina University (MS – Technology Systems-Information Security). Click here to connect with Jason on LinkedIn.