This blog was originally published in Global Banking & Finance Review on 11th January 2022.
Latest figures from Bloomberg’s Pret Index, a weekly indicator of the return to offices, train stations and pre-pandemic shopping habits, reveals that bankers in London are returning to the office at a rate that has outstripped their counterparts in Paris and New York. Spending at Pret a Manger’s stores in the City of London and Canary Wharf surged to 86 percent of pre-pandemic levels last week, the highest since the start of the crisis.
However, many firms are still trying to square the circle of data security with staff who want to work in a more flexible way. Deutsche Bank has said it will let people continue working from home two to three days a week once the coronavirus pandemic is no longer deemed a threat, while UBS Group said at least two-thirds of staff in the investment bank should be able to do some of their work from home.
It’s widely acknowledged that this hybrid working model has been, and continues to be, beneficial for many of us. This new arrangement presents a significant data security challenge for financial firms, especially as many turned to cloud-based services to enable employees to continue working during the enforced ‘Work At Home’ order. For many CISOs the scope of these cloud-based services were (and still are) outside of their organisation’s visibility. The unintended consequence they now face is one of heightened risk from cyber criminals looking to exploit an extended, yet unprotected threat surface.
In highly regulated industries the importance of mitigating this new threat surface just clocked ‘critical’ on IT and security teams’ scale of things to address. In October the UK’s Financial Conduct Authority updated its guidance regarding working from home warning that it has, “powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes”. The FCA has said that firms must prove that they have the systems and controls, including the necessary IT functionality and these systems are robust. They must also be able to prove they have considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
You can’t protect what you don’t know
This old(ish) cybersecurity maxim profoundly illustrates one of the biggest problems facing cybersecurity professionals today, how can I defend my organisation from attackers when I no longer know what my cyber estate looks like? To illustrate the point, a recent study found that 30% of CISOs admitted that since March 2020 they’ve lost track of movers, joiners and leavers, and 29% stated they are missing corporate devices. This is a direct result of the enforced work from home order.
The key issue for CISOs and their security teams is simple; you can’t protect what you don’t know is there. If you want to apply effective security controls, knowing what assets you have within your environment is fundamental. It’s far easier to protect things that you know about.
Cybersecurity Asset Management Explained
Cybersecurity is all about IT assets. When companies are hacked, it is through their IT assets, networks, hardware and software.
Poor asset management practices dramatically increase the chances that threat actors will be able to achieve their objectives, whether that’s to steal sensitive data, disrupt business operations, or otherwise put the organisation at risk. Asset management is essential to being able to address such risks efficiently and consistently.
Cybersecurity asset management is the process of identifying, on a continuous real-time basis, the IT assets that your organisation owns, and the potential security risks or gaps that affect each one. From a cybersecurity perspective, assets are best described as something that must be configured or managed to achieve security outcomes, or something that may be impacted as a result of a cyber incident (usually the things you are trying to protect).
Generally speaking a cybersecurity asset management strategy has four key elements:
- Gathering data from any source that provides detailed information about assets
- Correlating that data to generate a view of every asset and what’s on it
- Continually validating every asset’s adherence to the overall security policy
- Creating automatic, triggered actions whenever an asset deviates from that security policy
- Approaching cybersecurity asset management
Because IT resources and security risks come in so many forms, cybersecurity asset management is a process that involves a variety of activities. Hardware, software, virtual infrastructure, information and online accounts must all be considered.
The diversity of asset types and their sheer volume, even in small organisations, can make asset management a challenging task. Here are the key areas that should be addressed, broken down into relatively bite-size tasks:
- Device discovery and protection – identify network endpoints and assess each one for security vulnerabilities; ensure any insecure endpoints are segmented from the rest of the network immediately.
- Vulnerability management – detect and address active vulnerabilities, such as unpatched software running on a device.
- Cloud security – identify all cloud resources, especially those that are vulnerable due to insecure software or lack of access control.
- Continuous policy enforcement – when new devices are added to the network that match a particular device profile with an active policy, they are automatically protected.
Whether at work or going about our daily lives, we’re generally drawn to the things that look to be the most exciting. In cybersecurity, threat-hunting or red-teaming sounds, on the face of it, more exciting than asset management. Asset management is a critical foundational activity for all security programs, including those who spend their days spotting intrusions and fighting malware.
For asset management to deliver its full potential, it needs to be automated and easy to implement. Many organisations already have in place some of the automated resource discovery and threat identification tools that can help get things back on track.