Strengthening Security: How Information Security Controls Reduce Residual Risk
Ryan Wellman, Cybersecurity Control Analyst at Lasco
How Information Security Controls Reduce Residual Risk
In today’s digital landscape, small businesses face increasing cybersecurity threats, often with limited resources. Implementing effective information security controls is essential not only for regulatory compliance but also for protecting customer trust and financial stability.
What Are Information Security Controls?
Information security controls are policies, procedures, and technical measures designed to reduce inherent risk. (Inherent risk is the level of risk before any controls are applied.) Once controls are in place, the remaining risk is known as residual risk. The goal is to reduce residual risk to an acceptable level.
Common Controls That Make a Difference
Some of the most effective and widely used controls include:
- Multi-Factor Authentication (MFA): Adds a layer of protection beyond passwords.
- Endpoint Detection and Response (EDR): Monitors and responds to threats on devices.
- Access Controls: Ensures users only have access to the data they need.
- Encryption: Protects sensitive data in transit and at rest.
- Security Awareness Training: Educates staff on phishing and social engineering.
The Importance of Scheduled Control Reviews
Security is not a “set it and forget it” endeavor. Controls must be regularly reviewed and tested to ensure they remain effective against evolving threats. Scheduled reviews help identify outdated tools, misconfigurations, or gaps in coverage—before attackers do.
Segregation of Duties: Audit vs. Administration
A critical best practice is the segregation of duties between those who administer systems and those who audit them. This reduces the risk of fraud or undetected errors. For example, the person who manages user access should not be the same person reviewing access logs.
Emerging Threats That May Go Unnoticed
Two current threats that often fly under the radar for smaller institutions include:
Business Email Compromise (BEC)
Attackers impersonate executives or vendors to trick staff into transferring funds or revealing sensitive information.
Shadow IT
Employees using unauthorized apps or devices can introduce vulnerabilities that bypass official security controls.
For small businesses, investing in the right security controls (and maintaining them) is not just about compliance. It’s about safeguarding your institution’s future. By reducing residual risk through layered defenses, regular reviews, and clear role separation, you can build a resilient security posture that protects your customers and your reputation.
