Asset risk management: Getting the basics right

In this interview with Help Net Security, Yossi Appleboum, CEO at Sepio, talks about asset risk management challenges for different industries and where it’s heading.

Cyberattacks show no signs of slowing down. What do organizations need to do to boost their asset risk management?

They need to understand what’s in their environment. You can’t do anything to manage risk if you don’t know what assets you have and their associated risk posture. Increased spending on cybersecurity tools is a waste if those tools cannot see every asset in your infrastructure. And, unfortunately, that is where a lot of enterprises fall short. So, the number one thing enterprises need to do is get back to basics and focus on what builds the foundation to robust asset risk management – and that is visibility and understanding of risk.

What are the most common threats plaguing the financial sector, and how can asset visibility mitigate the risks?

The first threat that comes to mind is ransomware. The finance industry, by nature, has access to substantial amounts of money, and disruptions to financial services can have a tremendous impact on society and the economy. These two factors make financial institutions the perfect target for a ransomware attack as the tolerance for downtime is low and the funds needed to pay the ransom are there. Ransomware can get introduced to the environment through IT assets, and asset visibility mitigates the risks by accounting for anomalies that could indicate a possible threat.

Social engineering is another threat faced by the financial sector. The thousands of employees that work for large financial corporations each act as a gateway into the organization through simple methods of manipulation. A bad actor can convince a member of staff to bring in an unwanted asset by means of bribery or blackmail or have them unknowingly do so by enticing them with free handouts. Who can refuse a free iPhone charger? Asset visibility mitigates the risks by accounting for these novel connections, which security teams can subsequently investigate.

What about healthcare institutions? How are they vulnerable, and what must they do to ensure service continuity and avoid data breaches?

Healthcare is vulnerable largely in part to the number of connected medical devices in their environment that are inherently risky. What’s more, the healthcare industry prioritizes the uninterrupted delivery of patient care over cybersecurity, meaning they tend to forgo many cybersecurity measures due to the disruption they cause. However, in the long run this can cause more harm to the patient, should the lack of cybersecurity measures result in a data breach or operational disruptions.

Healthcare should consider implementing stronger zero trust protocols in order to disable unnecessary connectivity between devices. Currently, the industry has been found to have critical medical devices operating on the same network segments as vulnerable IT devices which enhances overall risk. Removing those connections, where possible, can reduce the risk of unwanted disruptions or possible data breaches.

What makes critical infrastructure vulnerable, and how can it improve its security posture?

Critical infrastructure operates both IT and OT. What makes it vulnerable is that these two environments, which were once idiosyncratic, are now converging thanks to the development of the Industrial Internet of Things (IIoT), resulting in cyber physical systems. Naturally, this has expanded the attack surface significantly, exposing mission-critical OT to the same security threats faced by IT. To make matters worse, legacy OT systems were built without cybersecurity in mind.

The zero trust concept serves as a valuable tool in strengthening critical infrastructure’s security posture as it enables enhanced network access control through micro-segmentation and principle of least privilege protocols. Further, should an attack take place, the blast radius is contained thanks to these protocols, thus significantly reducing the impact of attack. However, asset risk management is paramount to an effective zero trust architecture. Understanding asset risk provides the necessary context to ensure proper enforcement of zero trust protocols.

How do you see asset management evolving in the future? Do you see the asset risk factor reaching new heights, and why is this so?

In the world of cybersecurity, asset management is, at its core, the understanding of IT assets in an entity’s environment. That means being able to identify all assets in order to support the cybersecurity strategy. But, what’s a cybersecurity strategy without accounting for risks; more specifically, asset risk. So, yes, the asset risk factor will reach new heights because it is an integral part of asset management and, in turn, cybersecurity.

Asset management will evolve to put greater importance on asset risk, as the identification of assets only gets you so far. For asset management to really support the cybersecurity strategy, the risk factor cannot be ignored; it provides the context needed to execute a robust cybersecurity strategy. Enterprises will find that, in order to secure their environment, the asset risk factor is non-negotiable.