Enterprise Risk Management – When Was Your Last Security Incident?

In Risk Management, preparation and information are our best tools. One of my mantras is “Hope is not a strategy.” This mantra is particularly the case for security issues. Other than people, data is the most valuable asset for most organizations, and data thieves recognize that fact. In today’s blog, we will focus on data and network security. As a risk manager or business continuity professional, do you understand your organization’s data security strategy and how it integrates into your plans? You don’t need to be a certified network engineer or security analyst to understand that a proper approach and set of tools should be in place to protect your environment from unwanted attacks or access.

The following are items to review and consider as you work with your IT team.

Network Access Segmentation

While it can cause some frustrations, ensuring proper network access by both individuals and applications can help prevent data loss or inappropriate access even if a malicious attack does occur. We are all aware of the need to ensure that public access is separate from corporate access – perimeter zone or DMZ. Within your internal network, it is helpful to separate web services or application servers from servers that contain data. You should also limit user access to critical applications or data, but it is not a guarantee of protection.

Detection

You may consider implementing a device or service that monitors your network for malicious activity or policy violations. These are reactive tools. Though malicious activity gets media attention, often non-malicious policy violations are a bigger risk – think about a phishing attack that puts malware on individual workstations. Also, confidential or proprietary data loss can occur when copies exist on removable storage or are sent to personal email or cloud storage.

Analytics/Assessment

Some services will perform an assessment of potential vulnerabilities in your organization. You may find that some vulnerabilities exist, but there are currently no known exploits (but there could be in the future). You may also find specific vulnerabilities with known exploits. There are also both on-premise or cloud-based tools that monitor and scan your environment. These provide real-time or regular vulnerability notifications. These then allow for proactive remediation based on risk.

Multiple services will perform penetration testing for your organization. They will try to exploit vulnerabilities in your environment to gain access to your network, systems, and applications. This is another proactive strategy to remediate potential vulnerabilities.

You may not have the budget to perform all of the above steps or to implement them fully. As part of your risk analysis, I recommend that you determine if applying a portion of the strategies above would be beneficial. Monitoring critical systems or segments of your network may be appropriate, rather than conducting some of the more proactive activities. Your strategy will depend on your organization’s risk profile.

Remember, it is not if there will be some type of security event, but when. We never say that so scare you, but it’s important that you are proactive. These events can have a high business impact, costing hundreds of thousands to millions of dollars. Potentially more impactful than the financial consequences is the brand or reputational impact. Data and network security issues are some of the most probable and high-impact risks in organizations today. Is your enterprise prepared and informed?