A Heightened Risk of Digital Exposure: The Cyber Long Tail of Covid

Life is beginning to return to some kind of normal for many of us. But for IT and cybersecurity teams things could get worse before they get better. The long tail of Covid for many is that they have lost visibility of users, data, services and applications. 

During the past 20 months, many companies turned to cloud-based services to enable their employees to continue working when the office shutters had to come down. Unfortunately for many CISOs the scope of these cloud-based services was (and still is) outside of their organisation’s visibility. The unintended consequence they now face is one of heightened risk from cyber criminals looking to exploit an extended, yet unprotected, threat surface.

A recent study found that 30% of CISOs admitted that since March 2020 they’ve lost track of movers, joiners and leavers, and 29% stated they are missing corporate devices. This is a direct result of the enforced work from home order. However, even before that time many CISOs who responded to the survey admitted they had up to 30% of their user accounts from Active Directory and other systems unaccounted for – with incomplete records or uncontactable individuals – as a consequence of IT and HR systems not communicating effectively and limited centralised systems. 

As security teams scramble to work out what they’ve got, where it is, and who’s got access to it, IT discovery has become their number one priority. This is particularly pressing for regulated industries. The UK’s Financial Conduct Authority recently warned that it has “powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes”. This update comes as staff across the financial services sector move to a hybrid working model. The FCA has said firms will now need to prove that remote working arrangements don’t increase the risk of financial crime or hurt competition.

The key issue for CISOs and their security teams is simple: you can’t protect what you don’t know is there. If you want to apply effective security controls, knowing what assets you have within your environment is fundamental. It’s far easier to protect things that you know about. 

What’s an Asset?

According to the Collins dictionary, an asset is “something or someone that is considered useful or helps a person or organisation to be successful.” From an organisation’s perspective this could be intellectual property, customer data, or, if your employer is The Coca-Cola Company, the trusted recipe for the one of the world’s best-selling fizzy drinks.

Cybersecurity asset management is the process of identifying, on a continuous, real-time basis, the IT assets that your organisation owns and the potential security risks or gaps that affect each one.

From a cybersecurity perspective, assets are best described as two things:

1. Assets that must be configured or managed to achieve security outcomes. For IT assets, IT Service Management standards (e.g., ITIL v4 and ISO 20000) refer to this type of asset as Configuration Items.
2. Assets that may be impacted as a result of a cyber incident. These are often the things you are trying to protect.

The importance of Asset Identification and Management

Sir Frances Bacon came up with the phrase “knowledge is power” in 1597, and it’s true today as it was all those centuries ago. Having an accurate, up-to-date, inventory of IT assets provides the visibility needed to build a comprehensive security strategy that mitigates threats quickly and proactively.  If an attack does occur, cybersecurity asset management provides the security team with an inventory of assets and risks that it can use to gain context on what went wrong and when.

Cybersecurity Asset Management – Where to Start?

Because IT resources and security risks come in so many forms, cybersecurity asset management is a process that involves a variety of activities. Hardware, software, virtual infrastructure, information, and online accounts must all be considered. 

The diversity of asset types and their sheer volume, even in small organisations, can make asset management a challenging task. Desmond Tutu once said that “there is only one way to eat an elephant: a bite at a time.” What he meant is that everything in life that seems daunting, overwhelming, and even impossible can be accomplished gradually by taking on just a little at a time. From first-hand experience these are wise words indeed and definitely applicable to the task of cybersecurity asset management. 

Here are the key areas that should be addressed, broken down into relatively bite-size tasks:

• Device discovery and protection – identify network endpoints and assess each one for security vulnerabilities; ensure any insecure endpoints are segmented from the rest of the network immediately.
• Vulnerability management – detect and address active vulnerabilities, such as unpatched software running on a device.
• Cloud security – identify all cloud resources, especially those that are vulnerable due to insecure software or lack of access control.
• Continuous policy enforcement – when new devices are added to the network that match a particular device profile with an active policy, they are automatically protected.

CISOs who have an active cybersecurity asset management program in place will no doubt feel more at ease than those who don’t. But given the recent upheavals we’ve all been through it’s understandable that some IT and security teams will have had their attention focused elsewhere and taken their eye off the proverbial IT asset management ball. 

However, It’s not all doom and gloom. Many organisations already have in place some of the automated resource discovery and threat identification tools that can help get things back on track. And get back on track they must, because any organisation that relies on software and hardware to power its operations – which virtually every business does today – is putting themselves at risk if they don’t.