Digital Security Controls to Address Risk in Business Systems

When it comes to the systems that an organization uses to run its business, there are risks at many different levels.

Identifying and either managing or mitigating these risks is an essential part of enterprise risk management, yet it often does not get the necessary prioritization.

Discover how your organization can reduce cyber threats, protect critical data, and defend against cyberattacks.

Identifying Security Risks

To determine where security controls will be most effective, it is necessary to understand the threat to the organization.

Businesses that deal with protected data types such as Protected Health Information (PHI), Personally Identifiable Information (PII), and Controlled Unclassified Information (CUI) are often assumed to have a higher risk.

The reality is that any organization can be a target for a cyberattack since money is one of the fundamental motivators for attacks.

Where Does the Risk Originate From?

To combat threats, a business must first identify where the risks originate. Most commonly, organizations turn to tactics such as vulnerability scanning and penetration testing to identify exploitable vulnerabilities.

While these are sources of many threats, they are not the only sources. Many threats do not rely on exploitable firewalls, missing patches, or endpoint protection but instead depend on human nature.

With the volume of systems that are internet-accessible, an organization’s employees can introduce as much risk and vulnerability to the infrastructure as a missing patch could—and in some cases, even more. Executing a risk assessment helps identify potential threats, existing controls, or weaknesses within the digital security controls and overall security posture.

Reducing Security Risks with Enterprise Risk Management

Reducing Attack Surface

An organization’s attack surface is the exposed area that can be presented by their systems that can be attacked. For this reason, the principle of least functionality is an important place to start in enterprise risk management.

Take a SaaS-based ERP system, for example. It may have the capability to have various portals, APIs, and integrations, but if your business does not need all of that functionality, disabling the unused features can boost your security posture immensely.

Enforcing Digital Security Controls Proactively

Once you have identified the business necessities in the organization’s systems, it’s time to start building up the defense-in-depth controls. No system is 100% attack-proof, but with a sufficient amount of enforced controls, opportunistic attacks can be fought off.

In any organization, the risk is generally a byproduct of the implemented security controls or, in some cases, the lack thereof.

Therefore, the best way to address this is to adopt a defense-in-depth approach to the organization’s security posture. Users with weak passwords and accounts that lack Multi-Factor Authentication (MFA) can allow attackers to access the same systems as if they were employees.

What is Defense-In-Depth?

Take a moment to think about the entry door to your house. Is it:

• Closed?
• Locked at the knob?
• Deadbolted?
• Alarmed?
• Visible via a surveillance camera?

Each additional layer of controls provides that much more security. Network and system security is no different. Think about your organization’s internet-facing systems in the same way, with the login page as your front door. Is it:

• Protected using strong password policies?
• Protected using enforced MFA?
• Protected using conditional access policies?
• Monitored for unusual activity?

These principles apply whether this is your email system, your VPN or other remote access methodology, or your ERP application.

Single Sign-On (SSO) supported systems can help organizations ensure that they apply a consistent set of authentication policies across all of their employees, which is crucial in enterprise risk management.

Protecting Data with Digital Security Controls

If defending against initial access to an organization’s system is the first goal, protecting the data and limiting lateral movement is the second. How do we accomplish this?

Role-Based Access Control (RBAC) and the Principle of Least Privilege

Movies and TV would have everybody believe that encrypting everything around you is the way to protect it. While that does provide an avenue of protection, it is generally not consistent with protecting against the actual threats to that information.

Limit what users can access by:

• Defining roles
• Restricting administrative rights over servers or user endpoints that do not require them
• Separating non-privileged accounts from privileged accounts

These are ways to mitigate what an attacker or an insider threat is capable of doing once they have access to your network.

Preparing for the Worst: Enterprise Risk Management Strategies

A strong security posture requires a balance of both proactive and reactive controls to defend an organization. While the proactive ones serve to dissuade the attacker, it’s necessary to ensure that the business can be equally prepared to fight back when a cyberattack occurs.

Incident Response Plans

Preparing for the worst means acknowledging that an attacker can gain access to your environment. While this is not ideal, having a plan of how to identify, contain, eradicate, and mitigate an attack is essential.

Plans need to consider how your business knows that there is an incident—this can vary from automated systems such as endpoint protection/antivirus applications to human-reported incidents. Employees should be encouraged to report suspected or confirmed incidents alike because time is the attacker’s ally.

Once an incident has been identified, you need to know how to handle it. The important aspect is not to tackle this alone; if your business uses a Managed IT Services Provider, they can assist in the initial containment.

Businesses should also consider reaching out to their Cyber Insurance Providers, as many of the actual response actions crafted to protect the organization are already being paid for in the policy.

Eradication and Mitigation are the longest parts of the process and can often be the most disruptive, but doing these steps correctly is essential. Seeking the assistance of a subject matter expert may save the organization in the long run.

Business Continuity / Disaster Recovery / Backup Plans

When ransomware attacks were on the rise, they were not combated by endpoint protection/antivirus software. Instead, the best defense against a ransomware infection was a strong backup system.

One of the best security investments an organization can make is backup systems with both on-premises (if needed) and cloud-based components with sufficient retention to meet the organization’s availability needs.

Of course, these are not without their own rules for protection. A backup system should be limited in the scope of who can access it and how. Effective systems are not directly related to the services they back up, so an attack against one part of the organization cannot be used against the backup data.

Backup systems are not sufficient by themselves without a plan for their use. Knowing that you have a system in place with a Recovery Point and Recovery Time Objective to keep business flowing still requires knowing how and when to use it for recovery.

Lastly, considering the topic of recovery, we should not forget that the IT systems in an organization are not the only elements that need continuity. Sometimes it’s a person in a key role, a piece of equipment or machinery that is not networked, or a business process. These are the areas of risk that cannot be overlooked and need to be considered in the overarching “plans.”

Continuous Improvement of Digital Security Controls

Information security posture controls do not follow a “set it and forget it” paradigm. Any organization’s controls need to be maintained, improved, and measured over time.

Accurate Automated Inventory

Inventory of the organization’s user and server endpoints is the most important element in the stack of controls. Your business needs to know what it has to know that it is being protected effectively. Incomplete inventories of assets lead to incomplete endpoint protection, inconsistent patching, and, in some cases, unknown end-of-life systems hiding on the network.

Endpoint Protection Solution

Every organization’s endpoints need a good and effective endpoint protection solution to defend against malware, ransomware, and other malicious activities. After deployment, it needs to be adequately tuned to ensure that true positives are not concealed by false positives.

Regular Operating System and 3rd Party Application Patching

Patching both operating systems and the 3rd party installed applications on the endpoints comes in a close second to endpoint protection. This needs to be done regularly, consistently, and in a timely manner.

Security Information Event Monitoring (SIEM)

A SIEM solution collects available log data from many sources so that it can be evaluated, examined, and scrutinized for trends, patterns, and inconsistencies. The system is only half of the equation; as every business is different, the definition of anomalous will vary from organization to organization.

Vulnerability Scanning and Analysis

Vulnerability scanning is another proactive tool in an organization’s toolbox. The concept is to ensure that the user and server endpoints, network equipment, and ancillary network-based equipment are free of exploitable vulnerabilities.

This needs to be evaluated both internally and externally because while there may be no directly exploitable, external-facing vulnerabilities at an organization, an insider threat or a weak authentication control can make the internal ones accessible to an external party.

Employee Awareness Training

Employees are not the last line of defense in all cases; they are the last line of defense when the other controls have failed. As such, appropriate awareness training should be periodically given to employees so that they are more aware of attack methodologies.

Additionally, employees should be taught to question something that seems out of place. If it feels out of place, it most likely is. Questioning a request that seems out of place on the grounds that it may upset a manager or an executive will be appreciated by that manager or executive when it stops a potential social engineering attack.

Penetration Testing / Security Posture Assessments

Once an organization has a high degree of confidence in its digital security controls, these engagements can be used to test their effectiveness. The goal of each is to identify single or multiple paths that can be exploited in order to gain initial access to an organization’s systems, move laterally between systems, escalate privilege, and gain access to high-value targets.

Executing these engagements in a controlled manner allows an organization to understand and address system flaws so that an unauthorized attacker is less likely to demonstrate these flaws.

Takeaways

• Threats come from a variety of technical and non-technical sources, and all should be considered when assessing an organization’s risk.
• There is no single solution that will protect an organization from its threats, but organizations should instead apply defense-in-depth principles, least functionality, and least privilege.
• Be prepared. Cyberattacks are not as much an “if” as a “when,” so having the strategy to fight back against the attack is as important as the tools meant to stop it in the first place.
• Controls need to be in place, monitored, and maintained regularly—you simply cannot “set it and forget it” with security.
• When in doubt, consult with a security professional about controls that can better protect your environment.