As someone working in IT support, I often get asked whether we should implement certain security measures. However, I feel that answering such questions requires data. For instance, how probable is a specific attack vector? Is a construction firm's risk of exposed ports comparable to that of a software company? What about running phishing tests? Do we really need a Security Information and Event Management (SIEM) system? It seems that these considerations can vary greatly depending on the company or industry. I'm curious about how others gauge these risks—do you use data visualization tools like Grafana, follow industry standards, or rely on frameworks? How do you handle risk assessments in a nuanced environment?
4 Answers
In the past, we gathered everyone involved, wrote down risks on sticky notes, and scored them based on likelihood and potential impact. We then prioritized the highest-scoring risks, searched for mitigation strategies, and weighed the cost versus potential impact. Finally, we'd secure management's approval that they were aware of the risks and decided to accept them rather than pay for mitigation. It's been a while since I did this, but that's the general idea.
One effective approach is to map out all your dependencies. By visualizing how various failures might affect your systems, you can better understand the risks. I actually run a company that offers tools for this; modeling can really clarify the situation. It’s a challenging task, but a solid starting point.
Consider running tabletop exercises where your team simulates different attack scenarios. My company has conducted these using case studies (with some details modified). It’s important to note that ransomware attackers don’t focus on what your business does; they target system vulnerabilities. Once inside, they steal data and then extort the company based on what they find.
There's no one-size-fits-all answer, but understanding your attack vectors is crucial. Having a layered security approach is essential. One thing I recommend is never letting users have elevated privileges without reason. Remember, anything better than doing nothing is a significant improvement!
Totally agree with that!
Thanks for sharing your approach; it's good to see how others tackle this!