Have you ever watched a video on lock picking? I’ve recently found the “Lock Picking Lawyer” on YouTube. He has the most professional speaking tone and great knowledge of the esoteric art of lock picking. Each time he confidently picks a lock, he points out that the chain or link is always the weakest point. It’s not just about opening the lock, but also knowing how to read the security signs that it provides. Examples:
- When lock is visible, it means that the item, in this case a bicycle, can’t easily be taken
- More expensive locks don’t necessarily mean your bike is safer
- Think of the location of the item. Don’t leave it for too long. The risk increases with time.
- Locks are more effective if combined with other security measures, like surveillance.
This all came to mind as I was exchanging emails with one of our stellar Directors of Systems Engineering. He said he was working with a health care organization and they wanted to focus on visibility. Trust me, visibility is the foundation of any great security program. It is also crucial when evaluating risk. It cannot be the only security measure.
There are lots of insurance companies out there evaluating risk. Webster’s defines “risk” as the possibility that something bad or unpleasant (such as an injury or a loss) will happen.
Think about that…the possibility. You can even put it into an equation:
RISK = (Probability) x (Impact)
How to assess Probability:
- What type of asset are you protecting?
- What vulnerabilities does this asset have?
- What kind of access to the asset is possible?
This makes it easier to understand the possibility of risk. And there goes the Impact:
- What happens if this asset is lost or no longer functional?
- How long would it take to recover?
- Are there penalties on top of loss/recovery of the asset by a regulatory body?
- What would happen to your organization’s brand based on this loss/compromise?
This leads to a better understanding of not just knowing the asset but understanding its risk to determine the proper set of security measures. In the case of the healthcare provider who only wanted visibility into their assets – that’s a great start, but then you need to limit access to reduce the probability.
It also correlates to a recent infusion pump manufacturer who identified two new vulnerabilities with their hardware in the field. This is life-saving equipment, vital for proper patient care. If the system is compromised, it may cost lives.
Knowing how many devices exist on your network is important but making sure they’re properly protected is key. Ensuring access control with proper segmentation will dramatically improve your corporate risk profile.
Visibility needs to lead into actions taken, or probability turns into fact.
And maybe do more to protect your bike than just using a lock.