Assessing Risk: The “How” is Just as Important as the “What”
Insurance underwriters have the difficult job of assessing an organization’s risk to cyber incidents based on a series of questions and ambiguous (at best) responses. Factor in a cyber threat landscape that changes as rapidly as the technologies built to combat them and it is clear how daunting a task this is. While there are tech-enabled solutions that have helped move the ball forward by attempting to “score” an organization’s security posture, those solutions are prone to missing the underlying protections that are in place as they look at the organization’s perimeter through binoculars. This can result in overlooking impactful internal security controls or, worse, provide a false sense of confidence in how secure or resilient an environment is against cyber-attacks.
While technology can help guide us to better answers, the questions we ask up-front are the first line of defense to bring clarity to an otherwise pixelated view. At MOXFIVE, we disaggregate problems into a set of core questions as a way of contextualizing the responses, ultimately making that information much more relevant. Below are examples of how MOXFIVE applies this approach to assess an organization’s security risk and ability to prevent attacks in the age of ransomware.
1. How is your environment architected with security in mind?
For organizations of every size, security can sometimes be an afterthought, something to address when it is already too late or as time and budget allow. With an increased focus on remote work, the “inconveniences” of security can lead to controls being relaxed — too much — in favor of ease of use and access. We must shift our mindset from asking where security exists in the environment, to asking how security fits into every aspect of the business. This shift in mindset directs us to determining how security is tied into IT and business workflows that support core business activities. A few key questions to consider:
How is multifactor authentication (MFA) incorporated into securing remote access?
How is the network segmented to make unauthorized access more difficult to accomplish and easier to track?
How are privileged user accounts managed?
These types of questions lead to a more robust understanding of how capabilities are implemented, with security in mind, versus whether they simply are implemented to check a box. Security evolves from a compliance checklist to a true understanding of how the environment is configured and setup from a security lens. Additional context here means the difference between MFA being useful in protecting the organization or something that was purchased but never implemented in a way that adds value.
2. How is security technology implemented to identify and protect against threats?
Security technology is always changing, with new versions and gimmicks appearing daily. MOXFIVE’s top three areas of focus are endpoint, network, and email. These are the inflection points where many attacks turn from a long night into a significant business disruption. When setup properly, they can help prevent, mitigate, or detect threats in an environment. The following questions help uncover the depth of security technology in the environment:
How is endpoint technology leveraged?
How is network technology leveraged?
How is email protected from common attacks?
How is the security stack managed and monitored?
An effective security strategy includes a defense-in-depth approach that covers all three main areas. As a company matures their security program, these responses become more robust with varying levels of technologies and processes to fill possible holes. Above all else, understanding who is on the hook for monitoring and managing these technologies is critical. Just because tools exist does not mean they are configured, used, or managed properly.
3. How is sensitive data protected?
Knowing how to protect sensitive data starts with knowing what sensitive data exists and where it lives — all of it. This can vary widely depending on the business, with some having a treasure trove of sensitive data (personal information, health records, financial information, etc.), to others where there isn’t anything beyond employee data. Once the baseline is established, you then dive into understanding how that data is protected. Questions to extract this information include:
How do you store or transmit sensitive data?
Where does sensitive data reside (both internal and external)?
How is access to sensitive data restricted?
The key here is organizations need to first know what data they have, followed by where it exists in their environment or what their users have access to externally (e.g. a web application). While it seems straightforward enough, it can often be difficult to get this information, especially in larger organizations. From there, knowing what controls are in place that prevent unauthorized access or accidental leakage can highlight the overall maturity of a security program. These restrictions are often the last to get implemented as well, as they are the most difficult.
4. How does your current Disaster Recovery / Business Continuity plan address ransomware?
The disaster recovery solutions of the past (and to some extent, the present) were intended to cover common IT outages and natural disasters. They never accounted for ransomware and the impact it has on an environment which can decimate both production and backup environments. The approach must change to a focus on how a disaster recovery plan addresses ransomware and protecting backups. Some key questions include:
How does your disaster recovery and business continuity plan address ransomware?
How are local backups protected from unauthorized access?
How are off-site backups implemented?
How are backups protected against unauthorized access?
How do you accomplish your target time to recovery for an enterprise wide outage impacting all systems?
Protecting backups is critical to a successful recovery and understanding how quickly a company can resume operations, provides insights into what possible business interruption costs could be incurred during an outage. For more information on creating a successful backup and recovery strategy, refer to MOXFIVE’s blog post Backups — Ahh! to Zzz.
Shifting from “What’ to “How”
Security is hard. Assessing that security posture can be even more difficult without the right context. Adjusting your approach from a compliance-oriented checklist mindset to a context-based approach that provides more insights into the what, the how, and the why will yield better results. Security is not a one size fits all t-shirt — so the questions we ask to assess that security should not be cookie-cutter. Does this add complexity to the underwriting process? Yes. Does this make it harder in the short-term to scale? Yes. Is it necessary to deal with the evolving threat landscape? Absolutely. We have reached the end of the line with the existing review process resulting in more unanswered questions than answered. Modifying the approach now and identifying mechanisms to digest the additional context is essential to effectively manage risk in the age of ransomware.