some fiction
The risk of the invisible open door
Crooks' prongs. The front door is open, the lights are off and the sports car is not in the garage. You don't have to be a super villain à la Lord Voldemort or Darth Vader to recognize the perfect conditions for a crime, a burglary. A bit of curiosity, the allure of a bit of mischief - it's enough to slip through the door and have a look around without risking too much. Maybe, just maybe, you can take something with you.
The same scenario also applies to the digital world, only here the open front door represents a potential vulnerability. While we can still quickly recognize the physically open front door and react to it - or at least be made aware of it by a good neighbor - this all happens invisibly and unnoticed in the digital world. Nobody draws our attention to our open doors, and the danger only really becomes apparent when the system no longer behaves as expected, data is lost, we no longer have access to our own systems or, in the worst case, we are blackmailed. Too late, shit happens!
The question that arises: How can I protect myself from this and ensure that there is no "open door" in my IT infrastructure? And if I do miss something, how can I minimize the risk of being caught with my pants down by a gangster in my living room?
The options for avoiding risk are very simple, but the application is complex. There are basically four ways to counter the risk:
Responding to risk
-
Avoidance
Avoid risks by changing your behavior or giving up certain activities completely. Figuratively speaking, if I build my house without doors and windows, I run no risk of leaving anything open. If I do without digital devices - no cell phone, no PC - I can't be hacked. It's still the easiest and most convenient way to stay digitally secure. But let's be honest: in our networked world, who can afford to live this way without being left behind? Not a viable solution for most of us.
-
Minimize
Probably the first step when faced with a potential danger is to actively reduce this danger. With a house and the likelihood of a break-in, you would take measures such as alarms, fences and automatically closing doors. In IT security, however, this quickly becomes more complex. This is where firewalls, VPNs, security updates and zero trust models come into play. No shame in that, but as everyday users, many will probably quickly find themselves overwhelmed by the terminology. What's more, all of these components need to be coordinated and a holistic concept is required. The attack surface grows with every additional door, with every additional window, and by extension with every additional PC and every additional cell phone.
-
Accept
Yes, sometimes it makes sense to consciously take a risk and accept the consequences, especially if the damage remains manageable in the worst case. If the risk of a break-in only involves the loss of a well-stocked fridge, some cheese, sausage, bananas and the juicy doughnut you've been looking forward to all day, it's unpleasant, but in no way catastrophic. For the money of an alarm system, I could probably go out to eat in a restaurant several times in a worst-case scenario. In IT, however, you should bear in mind that the risk of losing confidential data such as passwords, customer information, balance sheet figures, etc. is probably far greater than losing the contents of a fridge and the holiday doughnuts you put aside.
-
Transfer
Shifting the risk to another party. Insurance companies in particular have been using this business model for years. However, in our case, the question is whether someone would sell burglary and theft insurance for a house without lockable doors. As a businessman, I would be wary of such careless customers. The same applies in IT: if the security precautions are inadequate, it will be difficult to find someone to insure the risk. It is therefore no coincidence that necessary certifications such as ISO 27001 and NIST2 have been introduced for particularly critical and important areas of life to prove that a company meets certain security requirements.
Four options. Now, what to do?
A risk strategy
The four ways to respond to risks are in themselves quite simple. However, these options can only rarely be applied individually. In order to develop a suitable strategy for your own risks, all potential risks must first and foremost be viewed and then evaluated based on the probability of occurrence and the potential damage.
RISK = probability of occurrence x impact (damage potential)
The next step is to develop a holistic strategy and decide whether the risks should be dealt with internally or externally.
Conclusion:
The first step in minimizing risks is to deal with your own IT risks and potential dangers. If you deal with your risks and potential damage and can still sleep peacefully, you are on the right track. Otherwise, the options for avoidance, mitigation and transfer should be reconsidered and adapted.
Otherwise, the options for prevention, mitigation and transfer should be reconsidered and adapted or, if necessary, experts should be consulted. Don't forget to lock your front door.