Broadly speaking, organisations are implementing risk assessments to identify what possible hazards are there in the business environment and the potential impacts it could bring to the company. This is to protect the various assets of the business, and for today’s growing digital landscape, data should be at the centre of it.
However, with the exponential increase in data generation and the fact that it is becoming a huge target for cybercriminals, will a simple risk assessment do? George Lee, RSA’s Vice President for Asia Pacific and Japan, discussed this important issue with CSA. George believes that traditional risk assessments, which typically depend on manual processes to keep track of assets and compliancy, are not going to be enough in today’s changing business climate.
With the growth of the digital landscape today, more and more data will be managed by organisations and their IT infrastructure. George said that companies have to be flexible and embrace this change, but it also opens up a completely new realm of risks and a much bigger attack surface for cybercriminals.
According to him, businesses now have to look at a different set of risks compared to traditional businesses, especially with the rising trend of the remote workforce. “Understanding what data goes out, what data goes to the cloud, what data goes to the end user and how we run compliance on those data – those are all the things that today's businesses face especially with the digital transformation and the acceleration of digital businesses,” explained George.
Lowering the Risk from End Users
A breach may be inevitable at some point for today’s always-connected businesses. On this, George’s advice is for companies to always think about its consequence and how they can remediate the situation. “The key here is really understanding the risk behind your data. That is one of the reasons why RSA want to focus on risk assessment. This is something that all security practitioners and risks practitioners are struggling to manage,” George said.
He added that a lot of organisations were in a very “reactive mode” when the pandemic started. However, George assured there are still proactive measures that could be deployed, saying that proactive risk assessments and educating employees about the risks are becoming crucial steps that every business has to take.
“We have to make sure that every single employee in the organisation understands that the work-from-home arrangement actually opens up a lot of overall risks for the organisation. This is all about the users understanding the risks, like a bottoms-up approach,” he explained.
Additionally, George recommended some basic steps that organisations should undertake, like asking where their biggest risk is – the data, the infrastructure, or the people – and running a risk assessment on those.
He also said that one of the best ways to mitigate risk is by letting the users understand that the responsibility is not just the company's or security practitioners' – It is everybody's responsibility to safeguard the organisation and its data.
This is evident to the fact that cyber-attacks are still happening mainly to the end users. “Phishing remains the most prominent attack vector. We still see growth for ransomware, especially in the healthcare sector and in the public sector. There are also instances of cybercriminals [targeting users directly], whether through phishing attacks or scams. Risks like those are bound to be in the workforce of today or even in the future, so we should train them about those cybersecurity risks,” George explained.
But it’s not all negative. George believes that user maturity has definitely improved, especially in the last couple of years, even at the C-suite level. This is mostly thanks to high-profile cybersecurity breaches over the last few years that helped the users understand the various risks they are faced with. He added that widespread news coverage and information on cyber threats and breaches have definitely helped give them greater awareness.
Protecting What Matters
Interestingly, George said that there is an apparent lack of collaboration of the so-called “good guys” compared to the “bad guys” to further improve risk assessment and even risk mitigation. For instance, cybercriminals tend to organise in the dark web about attacking a certain entity and share certain information, whereas companies tend to keep to themselves with regards to the cyber-attacks they are experiencing.
“They should also be telling the authorities. They should be telling their fellow colleagues about the attacks. Say things like 'I got a breach with this technique or this thing. Watch out for it'. The good guys should collaborate a bit more to prevent future breaches and go against the bad guys,” said George.
As part of its risk assessment strategy, George said that RSA believes in a unified approach in managing digital risks – understanding the organisation, having the visibility, automating insights and putting in the control and actions.
RSA also focuses on helping organisations understand and protect what matters most to them. George added that once companies get a breach, they should determine what they have lost and understand what kind of data was stolen for them to mediate a response a lot better.
To help organisations do that, RSA offers reliable authentication suites with SecurID and an integrated risk management platform equipped with Archer IT & Security Risk Management. These tools can help improve decision-making by enabling businesses to compile a complete picture of technology- and security-related risks and understand their financial impacts.
George ended with a note: “That's what risk management is all about: understanding what matters to you, and since you can't protect everything, just protect those what matters.”