IT risk management in large companies

- [Presenter] Rather than a lack of resources or low sophistication, the biggest challenge for IT risk management in large companies is complexity. The larger the organization, the more complex it is. Even the simplest things when done on a large scale become very difficult. Just collecting and understanding the data that you need to measure IT risk can require enormous amounts of time and effort. One barrier to understanding is you often need to use statistics and other quantitative methods to make sense of that much data. And then once you figured out which IT risks need to be treated, you have to find a scalable way to implement the treatment. For example, in a large organization, it may not be possible to avoid certain IT risks, especially if much of the decision-making is distributed across the company. If you have 200 local offices around the world and each local office manager can make their own decisions about which technologies to use, how can you be sure that they'll all avoid the same IT risk all the time? And if you need to control a risk because you can't avoid it, how can you get consistency in the collective decision-making? Even if you have centralized IT across all 200 of your offices, deploying and monitoring controls depends a lot on things you don't have very much control over, such as the speed and performance of the open internet between each office. And what should your controls be anyway? Remember, at scale, even the simplest controls can be very difficult to implement and maintain, and there are always exception requests that need to be considered and managed. My biggest piece of advice when doing IT risk management on a large scale is to keep your methods as simple as possible and choose tools that are known to scale. That's easy for me to say, but I know it's surprisingly difficult to do. One reason is that the vendors of enterprise tools tend to sell very sophisticated solutions that are designed as much by the need to differentiate them from their competitors and justify high prices as they are for actually solving the problems that IT risk managers are facing. And the problems are generally complicated, so I don't want to trivialize that reality. Now let's consider the IT risks related to phishing at a large organization. Because a risk materializes when a threat exploits a vulnerability and then harms an asset, a phishing attack has multiple risks associated with it. A successful phishing attack could result in an account takeover, stolen money, or a malicious code infestation. The assets are the user accounts, the money, and the IT services that malware could eventually interrupt. For now, let's just focus on account takeover. Is it a big deal at your organization? That is to say, can we just accept this risk and turn our attention to bigger and more interesting IT risks? Because data gathering on a large scale is so time-consuming, we'll use the Verizon Data Breach Investigations Report as a proxy as a source of data in order for us to answer this question. Let's say your organization generates and distributes electricity. The 2021 DBIR says that account credentials were the most commonly stolen asset through phishing attacks at 94%. And the phishing itself is the dominant attack pattern associated with confirmed security breaches 86% of the time. So it's definitely an IT risk worth treating. Right, can we avoid this risk? Not unless you can turn off your email system, and that seems unlikely. Can we control this risk? Probably, but that may be expensive and it will change the way people work at the desk level. Is that really the best option we have? How about doing nothing and just accepting this risk? Well, we considered that option already and decided based on the data that it's too big of a problem for our industry and that makes it unreasonable for us to ignore. Maybe we can transfer this risk. Well, not easily. Most cyber insurance companies now require policy holders to have multifactor authentication or MFA to be turned on in order to even qualify to purchase a policy at any price. So we're back to controlling this IT risk. My professional experience and judgment tells me that there are many ways to control it. And it turns out that multifactor authentication is an effective way to control the risk of account takeover due to a phishing attack. Here's how I presented this IT risk decision to the asset owner at this public utility of about 2000 people. After getting the support of the chief information officer who was the asset custodian, and by the way, a custodian is someone who takes care of an asset on behalf of its owner, I approached the chief operating officer and said we needed to protect all our online accounts against hostile takeover by cyber criminals who were using phishing attacks. And I told them that the attackers steal our credentials. And when they do, it opens a door to a number of serious business risks, like a long company shutdown due to ransomware. And the frequency of attack for a utility like ours makes the urgency very high. Notice I didn't talk about the potential for millions of dollars in fraudulent money transfers and data breaches, because the impact to his metrics wouldn't be as great. Once we got approval, we did the rollout of MFA in phases, and we did it through the supervisors. Our anti-phishing systems told us who was most commonly targeted by phishing attacks. And it turned out to be the senior decision-makers, as well as several members of the finance team. So we started with them. It's crucial to roll out a desk-level change like MFA through line management, because a supervisor carries the most credibility with the individuals who are being asked to change the way they work. It took four months to get almost everyone enrolled in multifactor authentication, and we still had a few stragglers for various reasons that took even longer to resolve.