Proactive IT Risk Assessment: Ensuring Data Security
The awareness for IT risk assessments has grown over the past several years with new regulations and agency guidelines. And now, with new SEC cybersecurity reporting requirements, we are starting to see news articles for the very expensive consequences. Take for example, Clorox – reporting that their incident could cost up to $593M, and Okta’s incident wiped out $2B in market cap.
Cybersecurity governmental regulations and agency guidance
Recent cybersecurity regulations and agency guidance have highlighted the need for organizations to ensure an adequate IT asset management (ITAM) practice. Many of these specifically call out managing cloud providers as third-party dependencies in the supply chain. Below is a summary of recent regulations and agency guidance.
The S&P Global Ratings Agency reported this summer that creditworthiness will be impacted if organizations do not have adequate ITAM controls in place. ITAM is a foundational element of cybersecurity and security incidents are expensive and can impact organizations’ bottom lines.
At the end of 2022, the EU passed the Digital Operational Resilience Act which provides regulatory controls for financial institutes to safeguard detect, protect, contain, recover and repair against information and communications technology (ICT) related incidents. Financial institutions and third-party service providers must comply by January 2025. Failure to comply could result in a £10M fine or 5% of annual sales.
The new version of the Network and Information Systems Directive (NIS2 Directive, “NIS2”) came into force on January 16, 2023 and must be applied by October 2024. Failure to comply could result in administrative fines of £10M or 2% of annual sales of the prior year (whichever is higher).
At the end of 2022, all US federal entities were required to create a full inventory of software used to comply with NIST guidelines to improve the nation’s cybersecurity. Since then, some state and local governments have adopted StateRAMP to validate their third-party suppliers’ cybersecurity posture offering products delivered as a cloud service.
In 2021, the Texas Legislature passed Senate Bill 475, requiring the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides for standards of assessing, authorizing and monitoring all cloud computing services that processes data for any state agency. Essentially, any software procured needs to have gone through a standard security assessment review.
In 2021, the FTC also amended its Safeguards Rule for modern technologies to comply with protecting customer information. One of the key elements of this rule is to have a risk assessment, which includes an inventory of what and where customer data is stored, and assessing risks and threats to its security.
ITAM is foundational to cybersecurity
Armed with a deep understanding of application usage, many of our customers have formed deep relationships with their Security Operations (SecOps) counterparts to identify risk. A strong ITAM team, backed by robust tooling can aid cybersecurity initiatives in a multitude of ways, from having confidence of all assets that need securing to helping enforce security policies.
Obtain a holistic inventory of all IT assets
You can’t manage what you can’t see, and according to this article from Security Magazine, having a complete and current inventory is one of the top challenges that keep Chief Information Security Officers (CISOs) up at night.
86% of IT leaders report that business units are under significant stress because they’re unaware of all purchased cloud and SaaS.
Source: Snow Software 2022 IT Priorities Report
Unfortunately, many organizations don’t get accurate inventories because:
- They still rely on spreadsheets and disparate data sources to get an understanding of their assets (even though frequent software updates, technology upgrades and personnel changes outdate those spreadsheets almost as soon as they’re created).
- Cloud technologies are easy for users to try and buy outside of IT’s awareness, especially now that business units and individuals conduct most IT purchasing instead of a centralized IT department.
- Many organizations have independent business units (especially those with histories of M&A) with distributed purchasing and IT asset management teams who aren’t using tools and policies for capturing inventory.
A modern ITAM platform can help you counter all this “shadow IT” by bringing together your IT asset data from end-user devices and applications, datacenter devices and applications, SaaS applications and even applications running in containerized environments.
Identifying shadow SaaS application risks
SaaS software is easy for anyone to try and buy, and it has also contributed to the move of most IT purchasing away from a centralized IT organization to business units and individuals. Though this level of self-sufficiency alleviates some of the burden on IT, it also creates an entirely new set of risks. IT must eventually face these challenges, especially when it comes to SaaS security.
Issues related to SaaS usage include:
- The risk that stems from users setting up weak and easily hackable passwords
- Trouble complying with data privacy regulations such as GDPR and HIPAA
- Software misconfiguration
- Unwieldy access control
- When employees leave the company, not knowing what other subscriptions they were using
To proactively investigate free or licensed SaaS applications used in your environment that are not going through your SSO platform, organizations can invest in a cloud access security broker (CASB) or leverage an IT asset management platform that provides this level of insight via a browser extension. The benefit of using an IT asset management platform is it can normalize software titles and provide additional insights into application redundancies.
Identifying employees using denylisted applications
Most organizations have a “denylist” of applications they don’t want to run in their IT environment. They do their best to limit employee exposure to them and educate their workforce on the risks of such applications. Despite their best efforts, there will always be users who don’t adhere to security policies. Today’s SaaS applications are generally easy to access and deploy, making governance even harder for IT departments.
Fortunately, some ITAM solutions, can report actual usage against denylisted applications, so that teams can point additional security education at specific individuals or departments.
Find assets with software vulnerabilities
PII data leaks are not only a PR nightmare, but also can get organizations out of compliance with industry and governmental regulations. ITAM solutions can collect details of vulnerable applications from the National Vulnerability Database, and compare that to where those applications are currently used. This information is valuable to help busy IT teams prioritize patching or removing the most critical vulnerable applications.
Discovering end-of-life assets
Using end-of-life assets is akin to leaving your windows wide open and your doors unlocked when you aren’t home. With end-of-life applications and devices, there are often known vulnerabilities with no patch available. One of the largest examples of this problem is the WannaCry attack; organizations were still struggling to patch for this vulnerability three years after this attack began.
A robust ITAM solution can scan your environment to reveal:
- IT assets already at end of life
- IT assets reaching end of life within 12 months
- How many devices are impacted
- Where these assets are located
SecOps can use this information to help IT Operations prioritize the most critical assets to remove from the network.
Determine application candidates for single sign-on (SSO)
With usage data for SaaS applications, you can quickly identify applications widely used throughout your organization, and bring them under your SSO platform. Taking this action will improve application security through stronger required passwords and better governance.
Likewise, when employees leave the organization, you’ll have a view of all the applications used to identify where subscriptions need to be canceled, etc.
Enabling your ISO 27001 certification
Having complete visibility of your IT assets, along with understanding of end-of-life, vulnerability and PII risks helps organizations get closer to reaching an ISO 27001 certification and complying with other internal audit policies (e.g. GDPR compliance, etc.).