Risk management quantifies and qualitatively describes the risk of Information Security, allowing companies to prioritize risks according to their severity and thus ensure business continuity. 

Risk management determines the value of an information asset, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effects on the identified risks, determines the potential consequences, and finally prioritizes them.

After this definition, how is it possible to develop a strategy for risk management within a company? What are the main risks associated with Information Security? Also, find out what High Availability and Contingency has to do with risk management and what are their main differences in keeping your system secure.

Keep reading this article and learn how risk management in information security can contribute to your business continuity.

How does Information Security Risk Management work?

Risk management in information security is the process associated with the use of information technology. It involves identifying, assessing, and addressing risks to the confidentiality, integrity, and availability of a company’s assets.

The ultimate goal of this process is to address risks according to a company’s risk tolerance. Companies should not expect to eliminate all risks. Instead, they should seek to identify and achieve an acceptable level of risk for business continuity.

How to develop an Information Security Risk Management strategy?

Managing risks is an ongoing task, and your success will depend on how they are assessed, plans are communicated, and functions are maintained. Identifying the people, processes, and technologies required to help you deal with the steps below will develop a solid foundation for a risk management strategy and program in your company, which can be developed over time.

Identification

This stage is the process of identifying your digital assets that can include a wide variety of information: confidential company information, such as product development and trade secrets; Personal data that can expose employees to cybersecurity risks, such as identity theft regulations. Another example is those companies that handle credit card transactions and need PCI-DSS compliance.

Assessment

This is the process of combining the information you have gathered about assets, vulnerabilities, and controls to define risks. There are many structures and approaches to this.

Treatment

Once a risk has been assessed and analyzed, the company will need to select the risk treatment options. In this scenario, companies can accept the risk or prevent it.

Communication

Regardless of how risk is handled, the decision needs to be communicated within the company. Stakeholders need to understand the costs of whether or not to address risk and the reason behind such a decision. Responsibility and accountability need to be clearly defined and associated with individuals and teams in the company to ensure that the right people are engaged at the right times in the process.

Main risks associated with Information Security

Security risks are inevitable, so the ability to understand and manage risks for systems and data is essential to a company’s success. 

If you are able to address the risks below and respond effectively to security incidents, you can find out how to better resist cyber threats and reduce potential risks in the future.

Privilege Abuse

In most technology environments, the principle of least privilege is not valid. There are many reasons why privileges greater than necessary have been granted to a user.

Granting excessive permissions is problematic for two reasons: approximately 80% of attacks on corporate data are actually performed by active or dismissed employees. Privileges excessively granted or not revoked at the right time make it simple for someone to perform malicious actions.

Third-party Access

A number of third parties, including suppliers, contractors, consultants, and service providers have access to network resources, which allows them to modify, replace, or impact your company’s operational service. This access is considered privileged and needs to be even more protected than the access by an employee.

Companies apply efforts to protect their networks, but forget about third-party access security controls. These controls can protect third-party access to privileged credentials, as well as strengthen security aspects that are normally exploited by attackers to gain access to the corporate network.

Insider Threats

When it comes to data breaches, employees themselves can be one of the biggest risks to an organization. These threats can be: accidental, when personnel is only poorly trained; negligent, when employees try to bypass implemented policies; or malicious (the most dangerous), when an employee is motivated by financial gains, espionage, or revenge.

HA (High Availability) and DR (Disaster Recovery / Contingency) as metrics for Risk Management

Any good system these days must be built to expect the unexpected. No system is perfect and, at some point, something will happen that will cause a system to malfunction (a fire, a hurricane, an earthquake, human error – the list goes on). Since systems can fail in different ways, they need to be designed with the expectation that a failure will occur.

Thus, there are two related, but generally confusing, topics that work on the system architecture that mitigate failures: high availability (HA) and disaster recovery (DR).

High availability simply eliminates single points of failure, and disaster recovery is the process of putting a system back into an operational state when it goes down. In essence, disaster recovery is triggered when high availability fails.

Fundamentally, high availability and disaster recovery have the same goal: to keep systems up and running in an operational state. The main difference is that high availability is designed to deal with problems when a system is running, while disaster recovery must deal with problems after a system failure.

Regardless of a system’s high availability, any system in production, no matter how trivial, needs to have some kind of disaster recovery plan in place. And this should be included in your information security risk management strategy.

According to a report recently published by Kaspersky, the number of users who have experienced some type of cyberattack in the first half of 2020 increased by 20,000%.

Also, the company BBOViz points out that Brazil is the second country that suffers the most threats from ransomware in the world, just behind India.

Alarming statistics show that protecting a corporation’s confidential data goes beyond mandatory legislation, as data leaks can generate financial and reputational losses as great as penalties for breaching data protection laws.

There are several reports from large companies that have been affected by some type of malware, significantly impacting their business goals. Braskem, for example, was affected by ransomware that had a major impact on its financial health, reducing its revenue by about 45%.

Another recent case occurred in a Chilean public bank, which suffered a ransomware attack that forced them to keep all their branches closed for a day and part of the branches for two days, strongly impacting their reputation – both in terms of image and finances.

Even though there are many reports of cyberattacks around the world, there have never been so many solutions to protect a corporation from them, such as the implementation of the principle of least privilege.

What is the principle of least privilege?

The principle of least privilege is one of the bases for information security. Its main goal is to grant users access to environments that are required for them to perform their tasks. In other words, with the principle of least privilege, users do not access environments they do not require, avoiding internal threats, data leaks, and hacker infiltration in critical environments of a company.

Risks of not using the principle of least privilege

By allowing users to have privileged access to environments that are not required, several security holes are opened in a company, such as the release of Windows administrator privileges for employees, which allows them to install any malicious software, with or without malicious intent, or for a hacker to break into a machine and install this malicious software, increasing business risks and the attack surface.

In addition, allowing users to have excessive privilege in cloud environments also leaves the company’s data vulnerable to attacks and internal threats.

How to implement the principle of least privilege 

Through the senhasegura solution, you have several security locks that ensure users access only the environments required by them. Besides monitoring the way the user is performing privileged access, the senhasegura solution registers, records, and notifies those responsible for information security about any malicious activity within the privileged session.

Through this simple practice, they significantly minimize the chances of a cybercriminal accessing sensitive company data and extracting information.

Request a free demo of the senhasegura solution and learn how the principle of least privilege will change your company’s cybersecurity situation.

With the increase in phishing attacks all over the world due to the outbreak of COVID-19, companies are reassessing the efficiency of their information security systems, since the home office opens loopholes for a company’s security and such type of malware.

One of the first steps for you to ensure your company is secure is by protecting user identities so that in the event of a cyberattack on your corporation, the databases containing personal, sensitive, and financial information are protected by a PAM solution.

In addition to preventing leaks of personal data, privacy abuse, loss of reputation, and financial disasters, your company complies with data protection laws, such as the LGPD (General Data Protection Law) and GDPR (General Data Protection Regulation).

Even though it is a fundamental practice for information security, many companies ignore good practices for PAM and do not protect user identities as they should, opening loopholes for information security.

The importance of protecting your user identities

From the use of a PAM solution, all the company’s critical data is protected, since the access to this data needs one of the privileged credentials, also known as user identities.

The only people who must use these identities are those who need to access the environments to perform their tasks, so the number of people with this type of access is limited.

There are reports of hackers being able to steal these user identities through malware, such as phishing.

Typically, the goal of this type of attack is to target someone at the top of a company, such as directors and coordinators, and collect sensitive information from the corporation, such as the high-privilege credential of these people. 

According to Gartner, 95% of these attacks happen via email, which makes it difficult to detect their installation on a machine or network infrastructure, leaving the entire corporation vulnerable.

How to protect your user identities

Some practices are critical to maintaining the security of corporate user identities, such as managing privileged credentials.

Discovering compromised identities quickly is not an easy task, but using a complete PAM solution that detects suspicious actions within the privileged session quickly is the best way to keep your company secure.

Besides recording all actions taken, your PAM solution must notify you in real-time when any suspicious activity occurs, so that the person responsible for managing this can take appropriate measures, allowing a quick response to incidents and reducing operational costs.

In addition, it is important to check the expiration of the digital certificates of your company’s access environments. Being unaware of the expiration of a certification opens many security holes in a company.

The senhasegura solution ensures these and other measures to protect user identities, eliminating every security hole in your company when it comes to PAM.

Request a demo and find out why senhasegura has the best score (4.9/5) among competitors on Gartner Peer-insights.

Due to COVID-19, the attention of CISOs had to be reinforced to plan an efficient information security strategy, and to help in this task, Gartner has published a very interesting report, which pointed out some security trends and risks for information security in 2020.

According to Peter Firstbrook, VP Analyst at Gartner, “The pandemic and the resulting changes in the business world have accelerated the digitization of business processes, endpoint mobility, and the expansion of cloud computing in most organizations.”

As a result, many companies have revised their remote access policies and migrated to cloud systems, increasing productivity and information security risks. Check out the main trends that Gartner has listed:

XDR

Through XDR (External Data Representation) solutions, the detection of threats becomes faster and more accurate in emails, endpoints, servers, networks, etc.

Task Automation

Through automation tools, tasks that are performed repeatedly are done in a faster, scalable way, without errors and risks to a company’s information security.

It is recommended that this automation be done in repetitive tasks so that professionals focus on functions that demand more time and will have a greater impact on the company’s security.

Artificial Intelligence

Through the use of artificial intelligence in your company’s information security, it is possible to protect digital business systems, combine it with packaged security products to enhance security defense capabilities, and prevent the improper use of artificial intelligence by attackers.

Enterprise-level CSOs

With the significant increase in cyber-physical attacks, hiring CSOs is becoming a trend across companies.

In addition to adding to IT security, these professionals also work in OT security, physical security, supply chain security, product management security, etc. This significantly reduces the risks to information security.

Privacy

From the sanction of data protection laws such as LGPD and GDPR, data privacy has become an obligation to be followed, and this affects the entire corporation, which requires collaboration from all areas, such as IT, HR, legal, management, etc.

Digital Security and Trust

The importance of maintaining consumer security at points of contact has become an advantage for companies.

Having a team focused on the administration of all points of contact makes the exchange of information both secure and complete, regardless of the means of contact chosen by the customer, which reduces the risks to information security.

Zero-trust Network Access Technology

Access to environments through VPNs tends to decrease. Through Zero-trust Network Access (ZTNA), companies have greater control over remote access.

ZTNA only communicates with the ZTNA service provider and can only be accessed through the ZTNA provider’s cloud service, which avoids information security risks.