It’s Time to Get Proactive About Risk Reduction
By Marc Gaffan, CEO of IONIX
The first quarter of 2023 is being dominated by a singular theme, re-thinking risk. We came into the year facing the most anticipated recession of all time. The Federal Reserve is hiking rates at a furious pace. This is having its intended impact on the economy, particularly on the housing market. “Don’t Fight The Fed” was the rallying cry of Wall Street strategists. Instead, the market took off like a rocket in January. By the end of the month, the Bears were getting weak, and many were giving in. Fear of missing out (“FOMO”) is a powerful thing.
A few weeks later the gains are gone. Investors are again rethinking their strategies for the rest of the year. Are we headed for a rebound or another leg down? What’s the bigger risk, missing the rally or fighting the Fed?
In the technology sector, a seismic change in the nature of risk took place in early March, when The National Cybersecurity Strategy (“NCS”) was released. Its top priority was to, “rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
So, what does that mean for practitioners? According to the Strategy, “Shifting liability for software products and services to promote secure development practices.” That’s right. If you develop software or deliver software as a service, you are responsible for its security. This will lead to many changes in software development and application security. It turns out the DevSecOps debate is only getting started.
Another example of rethinking risk is the sudden collapse of Silicon Valley Bank. Is your money safe in the bank? That is the ultimate reevaluation of risk. One anecdote from the weekend of worry drove home how connected, and vulnerable, we are. It was a small business owner who had no banking relationship with Silicon Valley Bank. He would not be able to make payroll. Why? His payroll firm was a client of the bank, and the payroll funds froze. As Tony Dwyer, Canaccord Genuity’s Chief Market Strategist said in a note to investors, “The risk is not in what you can see, it is in what you cannot see.”
When it comes to securing your organization, how should you be thinking about risk right now? What are you not seeing? The first thing to understand is risk extends far beyond the assets of your organization.
Digital transformation drives growth. It also increases cyber risk. As your organization leverages third-party infrastructure and SaaS apps and becomes more connected, you also become more vulnerable. Their security is now your problem. You are in a similar position to that small business owner and his payroll vendor.
Now is the time to get proactive about risk reduction. One of the most impactful things you can do to reduce risk is to reevaluate your extended attack surface. Here are three proactive things that you can do to frustrate threat actors and reduce risk facing your organization.
- Map external risks that put your organization in danger. Always be ready to answer the question: what assets do we have out there, and what are they connected to or reliant on? Then, if any of these create an attack path, block it.
- Unused and abandoned assets are an attack surface goldmine for cyber attackers. Often these assets have access to sensitive systems and data. It is best practice to remove assets as soon as possible when no longer used or necessary.
- Speaking of best practices, patching your infrastructure remains a missed opportunity. It’s also one of the simplest vulnerabilities to mitigate.
We are all thinking about risk right now. For those responsible for cybersecurity, the challenges are many. With an understanding of your true extended attack surface, you can take these proactive steps to reduce risk.
About the Author
Marc Gaffan is CEO of IONIX, formerly Cyberpion, the leader in Attack Surface Management. With a focus on building and scaling companies, Marc has led startups to become industry leaders with thousands of worldwide customers. Marc has 20 years of cybersecurity experience, most notably founding Incapsula, growing the company to $100M ARR, and its acquisition by Imperva. Marc can be reached at https://www.linkedin.com/in/marc-gaffan/ or at our company website https://www.ionix.io.