Create a better Security Business Plan with a more Concrete Analysis of Risk

by Micro Focus Employee in CyberRes

Often, writing up business proposals for security projects can be tricky because the value can be elusive; however, you can break security investment proposals can into two types:

1) Improve or expand a line of business’s ability to interact with digital consumers more effectively. Or similarly, improve internal business processes or lower costs. These kinds of benefits target the business owner who is typically responsible for revenue targets or expansion. It’s also the team with the largest budgets and the most clout.

2) Reduce risk to the business. While this type of proposal is more straightforward for organizations that already have metrics and thresholds in place, it’s far more common for such guidelines, and thus value, to be vague. While the most referenced risk is compliance to privacy regulations, and the associated risks of not meeting them, beyond that it quickly gets murky. Outside of regulated industries, investment proposals based on risk are usually more challenging to write up and get approval for than those driven by business expansion models. In this blog, I’ll suggest turning to a couple of noteworthy sources of risk metrics that you should be able to extrapolate ant apply to your organization.

The Measurement of Risk

Getting Concrete in Your Security Business Plan with “Least Privilege” .jpgA few months ago, the Ponemon Institute updated one of their annual publications – Cost of a Data Breach Report (CODBR). It’s the latest of a long-time yearly series that has seen costs rise during its 17-year run. While the CODBR has had a few different sponsors over the years, Ponemon publishing independently, recently IBM has been its key backer. This breach cost report is valuable to IT and security teams because Ponemon breaks out their findings by industry (18 of them), geolocation, and combined. This report allows security teams to pull well-profiled data that they can incorporate into their risk model assumptions. It’s a noteworthy companion to Verizon’s annual Data Breach Investigations Report (DBIR) that provides a taxonomy of different types of digital security attacks, as well as an analogy of their tracked frequency. Like the CODBR, Verizon’s analysis is broken down across over a dozen different industries.

While the CODBR does have some information about the costs incurred from most breach attacks, the DBIR provides detail about digital attacks themselves and their use across different industries. Using these two reports together, they can serve as foundational components for security teams assessing their risk as they seek approval for new investment in their digital infrastructure, platforms, and services.

CODBR Highlights

Below are quick callouts of the largest cost trends year over year compared to 2020:

  • Total cost breakout of a data breach
    • Detection and escalation
    • Notification
    • Response
    • Lost business – system downtime, lost customers as well as cost of getting them back or replacing 
  • Industry trends:
    • Healthcare saw the biggest jump in average costs: $7.1M in ‘20 to $9.2M in ‘21
    • Pharmaceuticals breach costs stayed flat
    • Losses in the Energy sector dropped by over 27% 
  • The geographic section offers a full breakout of all 18 industries for 17 countries worldwide.
  • Grouping all results together, money lost by breach type:
    • Business email compromise - $5M
    • Phishing - $4.7M
    • Malicious insider – $4.6M
    • Social engineering – $4.5M
    • Vulnerability in third party software – $4.3M
    • Compromised credentials – $4.4M
    • Physical security compromise – $3.5M
    • Cloud misconfiguration – $3.9M
    • System error – $3.3M 

Since segments across many industries are in the midst of a remote trend, the CODBR offered some breach insight. If you are part of an organization that has over half its workforce remote, it will take on average over two months longer to identify that you have experienced one or many breaches. And in a world where the current pandemic is pushing more workers remote, it’s noteworthy that remote worker access enabled the breach for almost a fifth of all incidents. 

Least Privilege – a security fundamental that pays big

As one of the most effective ways to drive down costs and overall organizational risk is to implement, don’t forget to include aggressive least privilege plans in your proposal. Automating your least privilege posture across all of your sensitive information is one of the most effective ways to drive down exposure. Think of it as security low hanging fruit. Least privilege offers several types of protection:

Reduces attack services: when fewer users have permission to access information, the number of entry points is naturally reduced.

Limits potential damage: the more limited permissions a breached account has, the more restricted unauthorized access will be. This is especially true when you’re able to delegate administrative duties in a way that prevents an outsider from escalating privileges across a wide range of regulated or sensitive data.

Dissuading malicious outsiders: as would-be hackers find fewer entry points and observe restricted permissions for compromised accounts, it quickly turns into a situation where potential opportunity isn’t worth the hacker’s time. According to the 2020 DBIR, 80% of outsider attacks are financially motivated. The harder it is for them to find over-provisioned accounts, the more likely they will move on.

Automating your Least Privilege

As you consider options for automating and extending your least privilege capabilities, remember that CyberRes has multiple access governance and policy management solutions. Here are NetIQ’s main ones:

If Azure is your primary platform, there’s not a more powerful way to leverage its permissions management across all of your systems.

More Information:

Join our Community. Have technical questions about NetIQ Privileged Account Manager? Visit the Privileged Account Manager User Discussion Forum. Keep up with the latest Tips & Info about Privileged Account Manager. Do you have an Idea or Product Enhancement Request about Privileged Account Manager? Submit it in the Privileged Account Manager Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.

Labels:

Identity & Access Mgmt
Anonymous