If you had a chance to read part 1 of this blog series, you’ll remember that my top 3 risk management predictions for the next six months included:
- A huge increase in reported data breaches
- An increase in COVID-19 related phishing emails
- An increase in targeted ransomware attacks
In this post, I’ll explain how businesses and organisations can plan for and manage these risks.
Determine endpoints and end-users for cyber security risk management
The first prediction is easy to address, at the time of writing it was estimated that 70% of all breaches could be traced back to an endpoint. By endpoint, we mean a computer, tablet, smartphone etc. Organisations were reported to be identifying mobile computing as the biggest growing threat to information security in a recent report.
This is not surprising given the ad-hoc way some organisations had to embrace mobile computing in response to the sudden lockdown. What is surprising is that while technological security solutions are evaluated, purchased, and deployed, the end-user is frequently overlooked. I think this will be addressed in the near future with more companies investing in cyber security training for their staff. It will also be a mandatory requirement to attend the training, just as it is for GDPR training.
This is as it should be, considering that most data breaches can be traced back to an endpoint and the actions of a user. Training a user in Cyber Security makes them better equipped to avoid a data breach and expose the organisation to the possibility of GDPR related fines and reputational damage. Another report that I was reading used the term ‘human firewall’ for the end-user and that is exactly how they should be considered in the context of information security.
The ‘human firewall’ is the first line of defence of any organisation and it needs to be kept up to date and suitably equipped to spot and deal with attacks. Think of how you would patch, update and test a tech firewall. It is exactly the same for the human one. Keep them current and periodically test their effectiveness.
With the rush to working from home, many organisations have to work with a mixture of company laptops of varying builds and a range of personally-owned PC’s. Such a range of diverse equipment and software builds is unsustainable. IT departments will struggle to cope with trying to support so many different configurations. It also introduces an unknown and possibly unquantifiable number of risks.
Standardisation of the endpoints is the logical approach to address the problem. There are two ways of doing this; one approach is to issue a standard built laptop (or tablet) to everyone who has not got one. The other approach is to virtualise the endpoint. Both approaches have their benefits and drawbacks and the one chosen will reflect the skills and resources available to the organisation.
Lastly, I am going to turn my focus on backups. It’s an area that is often ignored and generally left to the IT department to sort it out when it really should be one of the most important considerations of any information asset owner. If a ransomware attack was to take place, then the backups are essential to recovering from it. You could, of course, pay the demanded ransom but remember that you are not dealing with honourable people. These are criminals who are attempting to extort money from you. You may or may not get the keys to decrypt the information.
Organisations should be evaluating their backups to help determine what impact a ransomware attack would have. If the impact is too great, change the backup strategy or mitigate with other controls—which is normal practice for any risk management strategy.
In conclusion, my suggestions for mitigating the top 3 risks in the next six months include:
- Standardise endpoints
- Focus on staff training and ready the ‘human firewall’
- Evaluate the backup strategy
As we discussed in part one of this blog series, the attack surface is widening for threat agents and will continue to do so. We can’t stop this but we can prepare.
I hope you found this series useful. If you have any specific questions on how to improve your Risk Management Strategy, please feel free to contact one of our risk experts.
View Our Risk Management Services Contact a Risk Expert