Risk (IT) or not risk: this is the dilemma

Typically, the risk is associated with the probability that an event, generally adverse, will cause damage. This rather vague concept can be descended in IT terminology: IT risk is the probability that a threat could affect information systems . While for our systems the damage can be given by computer malfunction, partial loss of data, unauthorized use of our users, for a company the damage results in multiple variables: reputational damage, physical damage to systems and economic losses. Therefore, it is clear that trying to contain cyber risk is fundamental for every company, since it is not possible to have zero risk.

The recent study by Trend Micro , a well-known IT security company, in collaboration with the Ponemon Institute, fits into this context. The goal is to highlight the risk management capacity in companies . The analysis focuses on three geographical macro-areas: America, Europe and Asia. The picture that emerges is not the rosiest since globally a defined high risk persists (on a scale of values ​​from -10 to 10, where -10 is the maximum risk for a company).

The CRI (IT Risk Index) calculated by TrendMicro. Credits: TrendMicro
The CRI (IT Risk Index) calculated by TrendMicro. Credits: TrendMicro

However, it should also be noted that the research is based on interviews with Trend Micro customers and therefore on subjective assessments of the staff of the companies interviewed. The risk index is calculated on two components: on the one hand, the ability to identify a threat (ie being ready to react), and on the other, the ability to respond to an attack when it is in progress. In fact, these two measures are indicators of how prepared a company is for IT risk.

Cyber ​​risk: identifying threats

A determining factor in the management of IT risks is the proactivity with which the vulnerabilities of their systems are sought, to reduce the attack surface and minimize the impact that a threat could have affecting the company. In fact, the greater the attack surface, the greater the chances that an attacker will be able to breach our systems and therefore damage us.

How can we reduce the attack surface ? The simplest thing would be to keep the software up to date so that any security patches, containing for example, the resolution of bugs related to so called zero-day threats (i.e. unknown vulnerabilities for which an attack exists) can be installed on the systems and reduce the likelihood of an attack being successful. This is one of the lacking points in most companies: they often prefer to continue to use so-called legacy systems because they work rather than update them . In fact, in manufacturing companies, many robot control systems still rely on Windows XP, the support of which ended several years ago.

Managing cyber risk also means being proactive.
Managing cyber risk also means being proactive in the event of an attack.

Some might argue that the risk can be reduced by disconnecting from the Internet, where most of the threats circulate, but the fact remains that it is not possible to have a completely isolated system , so it is always possible to find an access point. By hiding from the dangers we are not actually stronger, on the contrary our level of security could worsen. Trend Micro even highlights the need to streamline the complexity of systems and still improve alignment (of versions, software…) between heterogeneous systems. The first axiom of engineering says, in fact, that the more complex a system, the greater the complexity to verify its correctness. Similarly, one of the key principles of security is called KISS: " Keep it simple, stupid " or "Make it simple, almost elementary"!

Increase our firepower

The other aspect of research, as we have already introduced, is the ability to respond when an attack is in progress or has occurred. Even if the indicator seems trivial, it is good to reflect that companies are unable to behave like them hacker we see in movies: there is not a person behind a screen who has the whole infrastructure in hand. Reacting to an attack involves the use of lean and rapid procedures , which allow you to keep track of what is happening, but which also give ample scope for maneuver in the event of systems compromise.

Unfortunately, these two concepts are difficult to realize because business structures are often complex, articulated and hierarchical. This results in a reaction difficulty that nullifies the response capacity caused by the slowness between detecting the attack and making changes to the systems to increase security.

The primary risks for companies

Trend Micro research actually highlights five areas of focus on which to focus efforts to reduce business risk:

  • risk of digital threats , or the set of attacks to which we are vulnerable (in particular clickjacking, ransomware, phishing and social engineering, Man-in-the-middle attacks);
  • risks related to the data , that is the ability to anticipate zero-day attacks and contain their effects;
  • risks deriving from human capital and therefore related to the decision-making choices of management that affect the management and response capacity of the security division (for example, some companies may consider security more an expense than a real advantage);
  • infrastructural risk, i.e. both the ability to identify strategic assets for the company to adequately protect them and the speed in evolving towards new technologies to support daily operations;
  • finally, the operational risk and that is, as we said before, our firepower in case of adverse events and the ability to react promptly.
The types of cyber risks. Credits: TrendMicro
The types of cyber risks. Credits: TrendMicro

Europe (and Italy) ranks in a risk factor equal to – 0.13: a high value but still better than America which gets – 1.07. Better than us only the Asian continent capable of totaling – 0.03.

Living with cyber risk

We have said that the risk cannot be zero but we can only minimize it . It is necessary to adopt a strategy that allows us to live together as best we can, trying to be sufficiently calm. As?

  1. Identify the right countermeasures that prove effective and that are bearable for the company in economic terms and in application. Having a good defense strategy is certainly an important starting point.
  2. Implement such countermeasures! Obvious, right? Often, however, we get lost between theory and practice for various reasons, so it is necessary that the plans are put in place.
  3. To investigate! Verify that what we have budgeted gives the desired results. Otherwise it would be like having a Ferrari without petrol: when we have to leave, we will find ourselves stationary and without the possibility of intervention.
To reduce IT risk, it is necessary to adopt specific strategies that minimize it.
To reduce IT risk, it is necessary to adopt specific strategies that minimize it.

Trend Micro's work is certainly an important investigation from which to start to improve risk management, the rest is up to us to do it!

Article by Nicola Fioranelli

The article Risk (IT) or not risk: this is the dilemma comes from Tech CuE .