We’re living in a landscape where risks are prolific, diverse, and often unanticipated. Organizations are under immense pressure to implement strong security measures and avoid cyber attacks from highly specialized threat actors looking to capitalize on the smallest oversight.
In this post, we’ll look at some strategies you can leverage to manage these complex risks in an ever-changing digital landscape.
It’s all about context: Zero Trust Security
Historically, organizations have kept their data secure through the use of firewalls and similar on-premises technologies. Everything within the network was considered trusted, while everything outside the network was considered untrusted.
But now, mobile employees, customers, partners, and contractors from around the globe all need to access your organization’s data. Now that your people are the new perimeter, you should treat every user attempting to interact with your system as someone that needs to earn your trust. This Zero Trust approach to security is the foundation for a continual risk mitigation model.
With that in mind, here are 5 strategies to help you continually mitigate risk at your organization.
5 strategies for continuous risk mitigation
Implement Adaptive MFA: Embracing a Zero Trust philosophy means responding to access requests based on the context of each circumstance. Tools like Adaptive Multi-Factor Authentication (MFA) assesses a user’s login context on a case-by-case basis, based on criteria such as the device, location, and network from which the login attempt originated. From there, the system will make an informed decision on whether or not to prompt the user for an additional authentication factor. Consider implementing Adaptive MFA to continually assess the risk associated with each user login attempt, and enhance security for your organization.
Automatically deprovision former employees: Many IT admins face the frustration of having to manually deprovision employees leaving their organization, or worse yet, never get around to revoking user access at all. These “zombie accounts” serve as a window of opportunity for hackers.
One way to mitigate this risk is to consolidate your directories and give administrators a clear view of who has legitimate access to what accounts. Instead of going through the manual, error-prone process of deprovisioning individual users, invest in automated provisioning and deprovisioning to ensure that users no longer have access to corporate data once they leave.
Find your blind spots: Running reports and analyzing system event data, such as with security incident and event management software (SIEM), can help you detect, confirm, and contain security risks. For instance, if an API call occurs from an unknown IP address or an unknown location, this can be flagged and acted upon immediately.
Train your users on the latest threats: Your employees are your greatest asset but also your greatest risk when it comes to security. Equipping your team with the latest knowledge around how to proactively spot suspicious emails and threats is paramount. Training your employees on how to avoid ransomware, phishing scams, and other threats is a relatively small investment that can save your organization from a massive amount of pain in the future.
Rinse and repeat: This is the “continuous“ part. Think of these practices as iterative and always-developing. Pay attention to the security landscape, stay up to date with any new system activities, keep testing for anticipated threats, and adapt your policies accordingly.
Support from the top-down (CISO and the rest of the C-suite) is also important for securing the necessary budgets for appropriate hardware and software for your employees.
As you continually adapt your tools and policies, effectively communicating these new policies will help create alignment and reduce silo-ing and department-specific practices. Consider scheduling a recurring session or date (what like you might call would a fire drill) to refresh and keep these practices front of mind is also beneficial.
Check out our data breach risk assessment checklist for strategic and tactical tips to protect your organization.