Why are some security risks so often ignored?

There are risk factors that may rarely appear in an official risk evaluation, but should also be taken into account and discussed by the IT security teams. What issues do security professionals need to think about?

Classic IT risk management involves the process of categorizing potential threats and risks, assessing their likelihood of occurrence, and estimating the damage that would result if they are not mitigated. The cost of potential remedial actions and controls are weighed against the potential damage. Remedial measures should be taken if they are cheaper and better implemented than risks and threats allow.

The probabilities of events have always been more like a sometimes vague estimate than a clear mathematical formula. Despite a systematic approach, is the probability of an attack in a given year now more like 20 percent or 60 percent? Difficult question. Numerically, this can make a huge difference in an evaluation. In addition, the following perhaps somewhat uncomfortable questions, topics or consequences of measures often go unnoticed:

Proactive security policy

Any risk assessment is a battle between what could happen and not doing anything. Especially if it has never happened before. As a result, quite a few people believe that doing nothing would be more beneficial, and those who wish to be proactive could be viewed as money wasters. Because if you only want to keep the status quo, you will usually hardly have any problems, as it confirms the previous successful course. In contrast, anticipating problems, especially when large amounts are involved, is far more difficult than simply waiting for the damage to occur and then fixing it.

Carry out and complete actions

Many process stakeholders know that most of the controls and remedial actions that are considered resolved are often not entirely resolved. This applies in particular to patches and backups. Many companies believe they are 99 percent to 100 percent patched. Practice teaches, however, that there are hardly any companies where the patch status reaches these values.

READ:  What is Code Injection?

The same applies to backups. Again, practice teaches that most companies don’t do their backups very thoroughly. Although most companies always claim that critical backups are performed and regularly tested, one large ransomware attack is enough to show the reality.

For a test run to ensure that a backup and restore actually works, a test restore of many different systems would have to be performed at once in a separate environment. But this in turn requires a high level of resources, which many IT security teams hardly have at their disposal.

Don’t give up old habits

It’s hard to argue against the saying “we’ve always done it this way”. Especially when attacks on certain vulnerabilities have been going on for years. An example is the regular assignment of new and secure passwords. Instead, some companies still allow weak passwords to be hardly ever changed.

Tolerating risks of business interruption

Remedial measures against weak points in the network or security controls that the IT security team implements or carries out could disrupt operational processes or, in the worst case, even interrupt operations for a short time. If it were that easy to mitigate IT risk without incurring business interruption risks, everyone would be doing it.

Always one step behind

Companies are almost always fighting a risk that has already happened to others. However, some organizations prefer to wait and see what new tricks hackers have up their sleeves, and then begin remediation and controls to combat these new risks. When companies wait for the hackers’ next move, there is a time lag between discovering the new threat and evaluating the new technology, developing new control measures, and implementing them. One thing is then guaranteed: in a game of waiting, these companies are always behind.

READ:  What is a Managed Security Service (MSS)?

Weighing the risk of employee dissatisfaction

Basically, no IT security manager wants to annoy the employees of his company. However, with a maximum of control, such as monitoring or blocking certain Internet access or what the employee is allowed to do on his computer, he will certainly succeed.

This request is no coincidence, because it is precisely the users who are responsible for around 70 to 90 percent of all malicious data breaches – through phishing and social engineering. But even the mere mention of restrictions on employees is met with rejection. Good skilled workers are in great demand on the labor market. Therefore, every company fights for qualified employees who do not want to be told what they can and cannot do on “their computer”.

Political Risks

Proactive IT security measures can also lead to a so-called political risk. Every time proactive measures are advocated that have never happened, the protagonists lose a little of their political capital. In principle, they only win if the emergency for which they have campaigned ultimately occurs. If they are successful and convince the company to put controls and remedial measures in place so that the bad never happens, then it never happens.