The Data Breaches Are Coming - A Guide To Risk Management & Mitigation

The importance of information security should come from the highest levels of management. Whenever a data breach occurs, one might wonder who is at fault. Was it an engineer failing to implement a regular software patch, was it a technical manager saving costs by foregoing a security review or was it the executive team who were too focused on releasing products and services?

The world of information security is vast and encompasses many areasm but not many people focus on the field of risk management and compliance. We hear a lot about data breaches in many big companies and how easily they could have prevented them with simple measures. Cyber security people wonder, how could they not plug that simple hole? Sometimes vulnerabilities do not get fixed because of negligence, or mistakes made by employees. Other times though, companies do other things with risk than mitigate it, but more often than not breaches are caused by a complex web of missteps.

A quick overview of risk management

A company has assets, and those assets have a set value to the company. There are threats to those assets, and there is a probability of that threat occuring.

Asset = $ value + % vulnerable

A company looks at the value of the assets, looks at the probability that a threat will occur, and determines a value that they can expect to be lost, as well as frequency this event will occur.

Company's use various means to try and prepare for losses. They can avoid the risk alltogether by not using a product. They can accept the risk and carry on business as usual. They can purchase a control to mitigate the risk. They can also transfer the risk by purchasing cyber insurance. With costs for manpower and security controls increasing, transfering the risk by purchasing insurance is becoming a popular option for organizations.

There are many options when it comes to purchasing security controls to trying to take care of risks so that they never happen. Threats occur at different points in a network or a system, and your options are bountiful for security appliances that can detect or prevent that threat where it occurs.

A typical mail system, for instance, can have traffic scanned in some form at a border router, mail gateway, firewall, intrusion detection or prevention systems, at the mail server, and even at the endpoint where the mail is opened. These controls all have costs associated with them.

Addressing risks

Say a company performs a risk assessment on its mail system. It sees that attachments with malware are getting through to its employees, and in the past year, 5% of all employees have downloaded something. We've all seen some pretty nasty ransomware get distributed this way, so in this case a we would spend whatever it cost to mitigate the threat.

There are two major costs associated with security controls in addition to purchasing them.

  1. Security devices - all require updated signatures on a regular basis or else the device is rendered useless. If it doesn't know what emerging threats are out there, it can't detect them and/or stop them. The infrastructure, manpower to maintain it, and bandwidth this consumes can be massive in larger organization, costing money.
  2. The second major cost is the manpower to deal with detections. Many detections are false positives, and security features like quarentining files, deleting files, etc must be turned off, then information must be re-sent. This costs because it decreases the efficiency of the security team as well as employees trying to do their day-to-day work.

Example based on a realistic scenario

There are reasonable examples of security controls that would be too costly for a business to purchase. Let's say a company deals with a lot of customer data. They could encrypt all of that data, keep it on an air-gapped network, and the only access to it is through a room with a guard who checks identification, and you need to type in a password after inserting your ID card. That sounds like the type of security I would want my data protected by, but something like that costs too much to implement. Company's in this case look to compliance regulation for guidance. Many company's just implement the bare minimum to pass inspection.

For our example above, we used a frequent attack from an attack vector that is easy to succeed with. Security controls exist in some form at every organization. What about an attack vector that is not easily exploited?

A company uses an anti-virus suite to protect its network. It’s a great product but it runs on older servers. I order to upgrade the servers, they would have to pay for new licenses. The definitions they use, and the capabilities are the same to them in the old and new software version, so there isn’t a value in upgrading. The security company releases a disclosure that there is a major vulnerability with its older version of software. The vulnerability allows someone with physical access to the server appliance to get unauthorized root access if they already have an administrator account on the server. This is a difficult vulnerability to exploit considering the companies considerable physical security footprint. Is it worth it to upgrade because of the vulnerability? Since they already trust their administrators, and they log all access to the server room, it is a difficult vulnerability to exploit without being caught easily.

A simple risk mitigation solution

Let's talk more about policy controls that are better served to deter this type of exploitation. By severely limiting administrator access to only those who absolutely require it, you can limit the resources needed to vet individuals. With less administrators, you can monitor their activity easier, and theres less of a chance they will find an opportunity to exloit the system. Logging activity is a priority as well, because if you don't know who is doing what, you can't catch them when they do wrong.


Corporations have to think about the big picture. C-level employees and middle managers have to worry about the bottom line. Often, the lower level technical managers and technicians have to foot the bill and figure out fixes for the issues that arise from the shortsightedness. A good organization will leverage the knowledge from all stakeholders involved and come up with better solutions, in more a more efficient manner. Examining major breaches is an excercise in not only investigating the technical aspects but also the business aspects of what hapened as well. In order to fix issues, a company must change its mindset about security not just the one problem that allowed the breach.

Main Image Credit : The awesome piece of artwork used to head this article is called 'Data Breach' and it was created by graphic designer Aerica.

This post was a collaboration between

InfoSecJon, Miguel A. Calles, MBA

  • InfoSecJon


    Jon is currently working as a security consultant for a major software company. He runs his career advice blog, is studying Digital Forensics postgraduate and hacking as a hobby.

    More posts by InfoSecJon.

  • Miguel A. Calles, MBA

    Miguel A. Calles, MBA

    Miguel is the author of the Black Hat Chronicles novels and a certified cyber security engineer. Miguel publishes his writings on Secjuice, Medium and Amazon's Kindle Direct Publishing.

    More posts by Miguel A. Calles, MBA.

    Miguel A. Calles, MBA
The Data Breaches Are Coming - A Guide To Risk Management & Mitigation
Share this

Subscribe to Secjuice.com