By Ian Jennings, co-founder of BlueFort Security
For IT security teams working in the financial services sector, the FCA’s recent statement on remote and hybrid working expectations will no doubt be front of mind as we move into a less than certain 2022. Warning that it has “powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes,” this update reaffirms that the FCA will require strict provisions for organisations adopting a permanent hybrid working model.
The challenge for these teams will be helping their firms prove that any arrangements they have taken to facilitate hybrid working do not increase the risk of financial crime, damage the integrity of the market, reduce competition or cause detriment to consumers. This includes key considerations around data and cybersecurity risks – particularly in the context of staff transporting confidential data and devices more frequently in a hybrid working manner. The outlook is anything but certain and the FCA has made it clear that these expectations, “will evolve as more is understood about how firms intend to operate”.
2022 – A Year of Discovery
For most firms, there are still no guarantees as to what long-term working practices will look like. With uncertainty over the Omicron variant and influential bodies such as the London School of Hygiene and Tropical Medicine suggesting further surges are possible in 2022, there is a very real possibility that home working may be enforced once again. Even looking to a time beyond the pandemic, it’s safe to say that office-only working is a thing of the past. The hybrid working train has well and truly left the station.
To enable this shift – first to remote and then to hybrid working – companies turned to cloud-based technology. While successful, it has since become clear to many chief information security officers (CISOs) that the scope of these cloud-based services now goes beyond their organisation’s visibility and control.
Indeed, a recent study of 600 CISOs from a range of UK organisations revealed three quarters of respondents believe their organisation is at greater risk of a successful cybersecurity attack due to remote working. What’s more, around a third have lost track of movers, joiners, leavers, and corporate devices. Even pre-pandemic, with most employees working within the four walls of the office, many CISOs admitted they had up to a third of their user accounts from Active Directory and other systems unaccounted for – the result of IT and HR systems not communicating effectively and limited centralised systems.
These CISOs are now facing the increasing complexity of user and device sprawl. And so, while the problem of movers and joiners isn’t a new one, it has morphed into something altogether more challenging. The key objective for CISOs and their teams in 2022 will be discovery. You can’t protect what you don’t know is there, so to address the challenge effectively means identifying exactly what assets exist within your organisation’s environment.
What is Cyber Asset Management?
In finance, the goal of asset management is typically to maximize the value of investment assets while maintaining an acceptable level of risk. For CISOs and security teams the objective is somewhat similar. And while security teams are not focused on stocks and bonds, the assets they are focused on are often equally as valuable. Maximising the value of these assets – from intellectual property to customer data – means ensuring they are protected against cyber threats. From a cybersecurity perspective, assets are best described as two things:
- Assets that must be configured or managed to achieve security outcomes. For IT assets, IT Service Management standards (e.g. ITIL v4 and ISO 20000) refer to this type of asset as Configuration Items.
- Assets that may be impacted as a result of a cyber incident. These are often the things you are trying to protect.
For security teams, each asset within the organisation has an acceptable level of risk, based on factors such as confidentiality and the impact and consequences of unauthorised access. For high risk assets, such as customer financial details, a breach of the data could result in severe legal or financial risk to the organisation. Assets are classed as lower risk when unauthorised access would have a limited impact, either by virtue of the data loss itself or because the operational service associated with that asset would experience limited or no interruption.
From a cybersecurity perspective, asset management is the ongoing process of identifying IT assets within the organisation and the potential security risks or gaps affecting each one. As such, identifying the assets and associated risks is just the first step in securing the organisation. You cannot protect what you cannot see; without clear visibility it is impossible to correctly document, assess and prioritise assets – based on acceptable risk levels – and implement effective measures to secure them.
Having an accurate, up-to-date, inventory of IT assets provides the visibility needed to build a comprehensive security strategy that mitigates threats quickly and proactively. If an attack does occur, cybersecurity asset management ensures the security team has an inventory of assets and risks that it can use to gain context on what went wrong and when.
Start small
The diversity of asset types and their sheer volume, even in small organisations, can make asset management a challenging – if not daunting task.
Both assets and risks come in many forms and so the process of asset management involves a range of activities. These must consider hardware, software, virtual infrastructure, data, and online accounts. Like any multi-layered challenge, the most effective route to success is starting small. Key first steps include:
- Device discovery and protection – identifying and assessing network endpoints for security vulnerabilities; ensuring any insecure endpoints are segmented from the rest of the network immediately.
- Vulnerability management – detecting and addressing active vulnerabilities, such as devices running unpatched software.
- Cloud security – identifying all cloud resources, especially those that are vulnerable due to insecure software or lack of access control.
- Continuous policy enforcement – automatically protecting new devices as they are added to the network if they match a particular device profile with an active policy.
In an unpredictable business environment where employees are likely to continue working remotely for some – if not all – of the time, it’s vital to ensure these key steps have been taken. CISOs and their security teams have had a lot to deal with over the last two years – simply keeping the lights on and the business working has amounted to a significant operation for some firms. But now, with uncertainty virtually the only certainty, organisations must ensure they are not putting themselves at unnecessary risk. Cyber asset management – and particularly asset discovery – will play a crucial role in risk mitigation in 2022.
