In cybersecurity there is a constant push/pull between maintaining a hardened security posture and allowing for easier and more efficient business processes. It’s a struggle that IT teams – especially those with little to no security training as is the case with many SMBs – face daily. The balance between these opposing priorities can shift depending on the business, the threat landscape, the attack surface, or even the day. But finding the appropriate line between a strong security posture and ease of business continuity and efficiency ultimately comes down to risk management.
Cybersecurity is about mitigating risk; it’s not about eliminating it entirely (which is impossible). So how do decision makers determine their risk threshold? One way to think about it is to use a fairly simple equation: Risk = Threat x Vulnerability x Cost. While reality is a bit too complicated for a simple equation, it’s useful to help businesses think about how to quantify and prioritize risk, and in turn help them find the balance between the need for a secure architecture and the desire to optimize business efficiency.
But before a company can manage their risk, they must understand it. This starts with a data asset assessment to understand what they have and where it lives. It’s followed by a business impact analysis to understand the criticality of these assets. Together, these two assessments provide a good framework to figure out where the “keys to their kingdom” lie.
For example, an online retailer probably has highly critical data such as credit card information and PII on their e-commerce servers. For obvious reasons, protecting these servers and keeping the data out of the hands of hackers is imperative. At the same time, this data is also likely to be a high priority for hackers and a focus of their attacks, so security should win out over ease of access or efficiency here.
However, if this same hypothetical company uses an FTP server to transfer images, this server is a less critical asset with a lower risk of attack, so business efficiency can be prioritized.
Another example of an area where companies should never sacrifice security is access to management ports. With the shift to a hybrid workforce, it’s tempting for IT teams to open management ports to the Internet, making them accessible from anywhere. However, this introduces significant risk. While it’s probably not necessary for organizations to follow the extreme example of NORAD hiding their command center under a mountain, in almost all (if not all) cases, leaving ports exposed is never a risk worth taking. It may be inconvenient to find another solution, but the up-front effort businesses need to make in order to securely adapt to a changing workforce model pales in comparison to the risk of losing millions of dollars and the reputational damage that comes with being hacked.
Patching is another example where infosec professionals will often prioritize security over efficiency. Patching a system may take it down for a short period of time, but critical vulnerabilities being used in the wild (like Log4j) should be patched immediately, even at the cost of some business continuity. However, there are times where the vulnerability or the affected software is less critical. In these cases, delaying the patch until the next, predetermined scheduled patching is ok. This is an acceptable risk.
Overall, for security professionals and IT teams who are constantly trying to figure out how to best secure the castle without losing business efficiency, it’s important to have a fundamental understanding of what risk is acceptable and what risk is absolutely not acceptable. Without that understanding, organizations are just guessing about the right balance between policies and practices that protect the business and its key assets and those that make it easier to run.