By Madison Iler   /   Jan 19th, 2022

This Year, Resolve to Reduce IT Risk by Cleaning Up the Cybersecurity Skeletons in Your Closet

IT risk - cybersecurity skeleton in closet imageAs we start the new year, many of us are setting personal and professional goals, and your organization may be undertaking similar efforts to plan, prioritize cybersecurity activities, and reduce IT risk. With 2021 data breach costs hitting a 17 year high of $4.24 million, you should leverage every incremental risk reduction technique that fits in your budget.

Consider using this opportunity to set some cybersecurity goals for your organization, especially if you have cybersecurity skeletons in your closet that need attention.

What Are Cybersecurity Skeletons?

What are cybersecurity skeletons? These are the lingering IT risks and vulnerabilities that an organization has identified but not addressed. Often, they are familiar entries in your annual risk assessment results or have become permanent residents on your IT risk tracker. Some may be findings from technical testing or a risk assessment report that was filed rather than acted upon. Others could be known gaps in program development or processes, resulting in ad hoc or inconsistent implementation of security controls. Often these are risks that everyone agrees are important, yet they linger.

How to Reduce Your IT Risk Through Cybersecurity Clean Up

My goal with this blog is to encourage you to dust off those lingering IT risks and take a fresh look at why they matter and what you can do about them. I will look at some common reasons we end up with these cybersecurity skeletons, with examples and tips to help you take action.

  1. Ownership Issues: Lingering risks can occur due to lack of proper ownership assigned to move the solution forward. Here are three ways ownership issues may be inhibiting your progress.
    • Wrong owner: Are your action items assigned to the right people? Staff turnover can leave needed actions abandoned. Or the actions were transferred to their manager, colleague, or replacement, but that person is not aware of the action item or any context around it. I have also seen actions assigned to someone who lacks the needed subject matter expertise. For example, does your organization need an Acceptable Use Policy or better security awareness training? This may be assigned to your HR department. But do they have information on employee guidelines and requirements related to systems, data handling, and threats? Or do they have a clear POC in the IT or security department assigned to provide the relevant content?
      • Recommendation: Review the risk tracker with a good look at assignments and any needed changes. If you are reassigning any, plan an active transition of information and context to the new assignee. Don’t just change the name on the spreadsheet. Also consider expertise, especially for items assigned to roles other than IT and security. In some cases, they may need a subject matter expert as co-owner to move the task forward.
    • Lack of management interest: If you have risks that seem to lack management interest or attention over a long period of time, that may be a clue that you should consider acceptance of the risk. Simply leaving an IT risk unaddressed can indicate the management team considers the risk too small to invest in, either due to low likelihood of occurrence or low potential impact.
      • Recommendation: Take a look at my previous blog for guidance on risk acceptance. It is a valid conversation to have if you are accepting the risk for the right reasons. When consider risks for acceptance, take a fresh look at compensating controls, especially if the risk was identified quite a while ago. Your compensating controls may have improved over time such that either the likelihood or impact of the risk is lower than the original rating.
    • You found it, you fix it: I wrote about this challenge in a recent blog on building a strong security culture. In some organizations, the person who notices or reports the problem is then expected to fix it. Obviously this can dampen staff enthusiasm for bringing up known security risks.
      • Recommendation: Encourage staff to report security concerns. Add the identified gap to a centralized IT risk tracker and then determine what roles are best suited to investigate and implement possible solutions.
  2. Too Big to Tackle: Some skeletons linger because the fix just seems like too big of a project. But don’t put action items in this parking lot without careful consideration. Many important security initiatives can be split into bite sized actions to move you forward and reduce risk. Here are two examples related to access and authentication:
    • Multifactor authentication: You know how important it is, but trying to implement it across the organization may be too much to do all at once.
      • Recommendation: Reduce organizational risk by getting started. Prioritize multifactor authentication for privileged access and high-value applications. Meanwhile, enforce long passwords everywhere else.
    • Access audit: Have you been meaning to audit accounts and access, but never have the time? Many organizations experience access creep over time due to role changes and lack of consistent access management processes. Users with more access than they need can increase the impact of a ransomware or data breach event.
      • Recommendation: Pick a few high-priority areas of manageable scope, perhaps a department that handles PII, or applications that house sensitive or critical data. Set a realistic timeline and target dates to support tracking and accountability.
      • Tip: Don’t forget cloud applications managed by individual departments. They are often left out of standard IT processes for role-changes and employee separations. If so, either get them under IT management or provide (and enforce) standard processes for access management. These applications may be a great starting point for your account and access audit.
  3. Solution Challenges: Some lingering IT risks could use a fresh look at the plan in the context of your current environment, staffing, and budget. Get the right SMEs in the conversation to define the problem and evaluate possible solutions. Here are two examples:
    • Change direction: Perhaps the initial recommendation for risks related to logging and monitoring was to stand up a SIEM solution to collect and correlate logs from different endpoints and systems. Sounds great! But that is a big project, especially if you don’t have staff who have done it before, or if your staff has the skills but are fully tasked in day-to-day operations.
      • Recommendation: Consider all options. Maybe outsourcing log collection, correlation, and monitoring would be a faster and more practical way to meet this need in your current environment.
    • Make two plans: The risks of outdated operating systems (OS) and patching gaps are well known, but many organizations have legacy systems (technical debt) that are essential to their operations and cannot easily be updated or replaced. These systems may be viewed as unfixable and left to linger, but even one obsolete OS poses a significant risk to an organization when not replaced with current patched solutions.
      • Recommendation: Tackle this in two ways. First, reduce IT risk in the short term by disabling all unnecessary TCP/UDP ports and isolating the system from the business network onto a secured VLAN to reduce the possibility of compromise. Second, start planning for the needed upgrade or replacement. This may be a significant investment of time and budget, but it needs to get started.

We hope you found this information helpful, and that it helps you clean up some of your cybersecurity skeletons! If you would like assistance with your cleanup, contact us. Our experienced consultants can work with you to identify cybersecurity risks and plan a path forward to reduce IT risk and improve your organization’s cybersecurity posture.

About the Author

Madison Iler

Madison is LMG’s Chief Strategy Officer. She assesses organizations’ compliance with regulatory requirements such as HIPAA, and assesses the strength of their security program and overall security posture using widely-accepted frameworks such as the NIST Cybersecurity Framework. She previously served as a Senior Network Security Engineer for Lockheed Martin in support of the National Science Foundation, Security Engineer for SecureInfo, and Security Compliance Analyst for Raytheon Technical Services. Prior to moving into IT security, Madison worked in IT operations. She has also worked as a management consultant with McKinsey & Company. Madison earned her BA in Economics from the University of Colorado and her MBA from MIT’s Sloan School of Management. She holds her CISSP and HCISPP security certifications.