Enterprise Risk Management – When Was Your Last Security Incident?

Richard Long

In Risk Management, preparation and information are our best tools. One of my mantras is “Hope is not a strategy.” This mantra is particularly the case for security issues. Other than people, data is the most valuable asset for most organizations, and data thieves recognize that fact. In today’s blog, we will focus on data and network security. As a risk manager or business continuity professional, do you understand your organization’s data security strategy and how it integrates into your plans? You don’t need to be a certified network engineer or security analyst to understand that a proper approach and set of tools should be in place to protect your environment from unwanted attacks or access.

The following are items to review and consider as you work with your IT team.

Network Access Segmentation

While it can cause some frustrations, ensuring proper network access by both individuals and applications can help prevent data loss or inappropriate access even if a malicious attack does occur. We are all aware of the need to ensure that public access is separate from corporate access – perimeter zone or DMZ. Within your internal network, it is helpful to separate web services or application servers from servers that contain data. You should also limit user access to critical applications or data, but it is not a guarantee of protection.

Detection

You may consider implementing a device or service that monitors your network for malicious activity or policy violations. These are reactive tools. Though malicious activity gets media attention, often non-malicious policy violations are a bigger risk – think about a phishing attack that puts malware on individual workstations. Also, confidential or proprietary data loss can occur when copies exist on removable storage or are sent to personal email or cloud storage.

Analytics/Assessment

Some services will perform an assessment of potential vulnerabilities in your organization. You may find that some vulnerabilities exist, but there are currently no known exploits (but there could be in the future). You may also find specific vulnerabilities with known exploits. There are also both on-premise or cloud-based tools that monitor and scan your environment. These provide real-time or regular vulnerability notifications. These then allow for proactive remediation based on risk.

Multiple services will perform penetration testing for your organization. They will try to exploit vulnerabilities in your environment to gain access to your network, systems, and applications. This is another proactive strategy to remediate potential vulnerabilities.

You may not have the budget to perform all of the above steps or to implement them fully. As part of your risk analysis, I recommend that you determine if applying a portion of the strategies above would be beneficial. Monitoring critical systems or segments of your network may be appropriate, rather than conducting some of the more proactive activities. Your strategy will depend on your organization’s risk profile.

Remember, it is not if there will be some type of security event, but when. We never say that so scare you, but it’s important that you are proactive. These events can have a high business impact, costing hundreds of thousands to millions of dollars. Potentially more impactful than the financial consequences is the brand or reputational impact. Data and network security issues are some of the most probable and high-impact risks in organizations today. Is your enterprise prepared and informed?

About
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
risk limitationDRAAS Providers