A recent surge in ransomware attacks against critical infrastructure suggests a trend in cybercrime for the year. Groups of bad actors are targeting countries’ essential goods and services (oil, food production, etc.) because their criticality to daily life creates a more urgent requirement to pay the ransom, showcasing vulnerabilities for corporations, governments, and civil society groups. As of early June, we’ve seen two more attacks following this pattern, raising concerns about how organizations can be proactive in protecting their information from future attacks. One solution is implementing a good IT risk management strategy.
To learn more about how Good IT Asset and Risk Management Can Protect You from Ransomware, register for the webinar here.
Why IT Asset Management?
Cybercrime is on the rise (300% increase in reported crimes since 2019), and so is the cost of cyber-related attacks, such as ransomware. In 2020, the average ransomware payment was $111,605 (a 33% increase from Q4 2019). The alarming escalation of attacks has sparked the prioritization of IT & security risk management for executive leadership globally. With ransomware being a critical cyber threat often caused by a lack of proper system maintenance or human error, it’s vital to analyze attack-related failures to extract learning opportunities. One recent learning opportunity is the highly publicized Colonial Pipeline attack.
The Colonial Pipeline CEO recently testified before the U.S. Senate Homeland Security and Governmental Affairs Committee, disclosing that the attackers initially accessed the IT network via an unmanaged legacy VPN. This event showcases the connection between a well-managed IT asset inventory and effective risk mitigation. Companies must improve and mature their IT asset & risk management practices to ensure they have appropriate controls and processes in place to track and manage IT assets throughout their lifecycle.
Register for our webinar to learn how to use the colonial pipeline hack as a case study for good IT Asset and Risk Management.
Implementing a strong IT Risk Management strategy
As is highlighted, the presence of human error in IT risk management can make or break your security posture. Getting the right components and processes in place to mitigate risks and manage your IT assets is key in establishing a strong risk management strategy. To start, look at implementing any of the below:
- Policies: Starts with understanding and implementing enterprise policy with proper and frequent reviews in place. Without proper review, attestation, and enforcement, policies live in a vacuum and become outdated documents of dos and don’ts.
- Controls: A good policy links out to controls, which if implemented correctly will help prevent, detect, or mitigate risks on a more focused and granular level than policies. Good controls are finite, testable, and repeatable. Having an independent internal audit function is critical in providing assurance that the control objectives outlined in policies are operating effectively.
- Standards: Standards support control objectives, which support policies. Controls are generally mapped to standards, which are requirements and best practices from various authoritative sources (NIST, ISO, PCI, etc.)
Implementing any three of the above, even if done individually without direct relationships between them, opens your organization to vulnerability in managing IT Risk.
IT risk considerations for managing third-party risk
Effective IT Risk Management is a vital internal priority in the wake of rising ransomware attacks, but how can you ensure that it’s being prioritized by your vendors as well? It’s important to enable your security team to have insight into your internal and external assets, making third-party risk management consideration another critical step in operationalizing an effective ITRM strategy. Here are four suggestions from Deloitte published in the Wall Street Journal:
- Establish a Third-Party Assurance Steering Committee.
- Institute a gatekeeper in the contracting process to ensure SOC obligations are met.
- Align Third Party Assurance with other risk and compliance efforts.
- Use SOC 2+ reports when possible.
How can OneTrust help?
OneTrust GRC provides a platform to manage IT & Security risk holistically. OneTrust GRC Policy Management helps you manage the policy lifecycle, enabling you to map related controls to policies. You can then perform risk assessments and control self-assessments in OneTrust IT & Security Risk Management and perform audits in OneTrust Audit Management to ensure controls are operating effectively. OneTrust Vendorpedia streamlines the vendor screening and onboarding process, enabling you to pinpoint and reduce risks over time with automated workflows and continual monitoring. Having a central platform for all these products supports the attainment of an integrated risk management approach.
To learn more, about how Good IT Asset and Risk Management Can Protect You from Ransomware, register for the webinar here.
