Asset risk management: Getting the basics right
In this interview with Help Net Security, Yossi Appleboum, CEO at Sepio, talks about asset risk management challenges for different industries and where it’s heading.
Cyberattacks show no signs of slowing down. What do organizations need to do to boost their asset risk management?
They need to understand what’s in their environment. You can’t do anything to manage risk if you don’t know what assets you have and their associated risk posture. Increased spending on cybersecurity tools is a waste if those tools cannot see every asset in your infrastructure. And, unfortunately, that is where a lot of enterprises fall short. So, the number one thing enterprises need to do is get back to basics and focus on what builds the foundation to robust asset risk management – and that is visibility and understanding of risk.
What are the most common threats plaguing the financial sector, and how can asset visibility mitigate the risks?
The first threat that comes to mind is ransomware. The finance industry, by nature, has access to substantial amounts of money, and disruptions to financial services can have a tremendous impact on society and the economy. These two factors make financial institutions the perfect target for a ransomware attack as the tolerance for downtime is low and the funds needed to pay the ransom are there. Ransomware can get introduced to the environment through IT assets, and asset visibility mitigates the risks by accounting for anomalies that could indicate a possible threat.
Social engineering is another threat faced by the financial sector. The thousands of employees that work for large financial corporations each act as a gateway into the organization through simple methods of manipulation. A bad actor can convince a member of staff to bring in an unwanted asset by means of bribery or blackmail or have them unknowingly do so by enticing them with free handouts. Who can refuse a free iPhone charger? Asset visibility mitigates the risks by accounting for these novel connections, which security teams can subsequently investigate.