Wes Withrow, IT GRC Subject Matter Expert
When organizations begin to roll out their IT security initiatives, there’s no shortage of expected and unexpected results. It’s a simple cause and effect relationship, but with IT security initiatives, some of the unexpected results tend to surface in unique ways. For example, one organization might begin to tighten up Windows security in their environment only to realize a 10x increase in the amount of Macs in their environment over a one year period. They soon understand it isn’t because most of their staff lost their love for Windows, it is because they don’t want to have all of the new IT security tools bogging down their Windows systems.
This article will cover the highlights from the recent TraceSecurity webinar “Reap the Unexpected Results and Benefits of Properly Securing Your Organization against a Cyber Attack.” In the webinar, we give concise real-world examples of the unexpected results and benefits of a risk-based approach to information security management. Click here to view the webinar on-demand.
Application Whitelisting to Reduce Computer Rebuilds
For those unfamiliar with application whitelisting, you can think of it as a centrally-managed IT software tool that prevents employees from installing unapproved software on their systems. When you deploy application whitelisting software, you assume that you’ll see a dramatic decrease in the amount of malware in your environment, but the last thing the IT department assumes is that any new IT security solution will save them a lot of work and money.
One organization that implemented an application whitelisting solution reported a 99% reduction of malware in the enterprise almost immediately. That metric sounds impressive at first, but it received lukewarm reception by the business because reporting on something that you prevented from happening is tough to quantify in financial terms.
It wasn’t until three months after the implementation that the team responsible for rebuilding infected machines noticed a drop in their workload that ultimately resulted in a savings of about $400,000 year. Why? The very simple answer: they weren’t rebuilding 20 to 30 infected machines a month anymore. For the first time in the company’s history, the financial impact of malware was quantifiable, and the feedback came from an unexpected observation post.
Inventorying of Systems to Reduce Workload
When an organization’s IT infrastructure is sprawling, managing those systems can be a burden. Oftentimes, IT operations don’t keep inventory of the IT assets they support, and an organization can’t protect what it doesn’t know exists. Therefore, one of the inherent benefits of formal IT security initiatives is that you are forced to dig through your IT ecosystem. It’s not uncommon for organizations to identify 20% of their IT assets are unaccounted for, not owned by the company, or not in use and need to be disposed. It’s usually an eye-opening exercise when an organization inventories their IT assets and finds out that their device-to-user ratio is about 3x to 4x higher than they estimated.
Insider Threats Surface Themselves
The assumption in most organizations is that the “naïve user” or “rogue employee” presents the greatest security risk. Today’s IT security initiatives allow us to know what to look for and where to look for weakness. Using security tools, we now conclude that the riskiest flavor of personnel tends to be the brightest, most loyal and technically proficient staff members in the company. They are usually just trying to do their jobs and finding innovative ways to do so.
For example, in the application whitelisting use case mentioned earlier, the organization found a small group of staff members had figured out how to disable the application whitelisting software on their systems in a way that the vendor didn’t even realize was possible. They eventually were identified by the IT department and received a gentle nudge to shape up, but the organization never assumed some the riskiest staff were the most technically competent. Needless to say, the vendor also thanked them for finding the weakness.
The “doom and gloom” narrative that dominates the world of IT security today typically involves stories about highly-publicized cyber breaches and the rapid expansion of compliance requirements. We won’t see any major shifts in what is newsworthy in the IT security world anytime soon, but we are beginning to hear more positive stories from the boots on the ground. It’s important that companies who have identified successes in their IT security programs insert some balance into today’s narrative by communicating the expected and unexpected benefits that come with the implementation of security initiatives in their environments.