What Really is Cyber Risk?
Concerned and Confused about Cybersecurity and the Risks Your Business is Faced With?
Most business are. Corvid Cyberdefense views security and risk management as a formula. Although risk can never be reduced to zero, all organizations can greatly improve their security posture by focusing on the variables that will have the greatest impact on reducing their risk exposure.
Risk = Threats x Vulnerabilities x Consequences
THREATS – The threat variable is understood through intelligence and is the most difficult to solve for since it remains out of most organizations’ control and always changing. Understanding the various threats and types of attackers is important but changing the threat landscape is impossible. Therefore, it is best to first concentrate on eliminating the vulnerability variable and reducing the consequences. Let’s first examine vulnerabilities as they account for almost 85% of the attacks.
VULNERABILITIES are addressed utilizing security controls and technology. When deploying security controls, most security experts utilize a defense-in-depth strategy. Here is a snippet of an article recently written on CSO Online, which is a very well-respected source of information for security professionals and executives.
“Defense in depth was originally a military strategy, which was meant to slow the enemy’s advance until a counter-attack could be mounted. Counterattacks in cybersecurity are a more recent development as information security systems were largely passive, but security defenses have been typically established at multiple layers in an attempt to thwart intruders. If the intruder broke through one barrier, there would be more and different barriers to circumvent before any damage or breach could occur.
With defense in depth, multiple layers of security are applied across the entire information technology (IT) infrastructure and extend to include personnel procedures and physical security. The idea is, the more layers of security that exist, the harder it will be to breach all the defenses to steal digital assets or cause disruption.
The core concept of defense in depth is still viable but must be continually re-adapted as computing technologies and threats evolve. It is a challenging task to remain updated on current trends and changing vulnerabilities, but this must remain a main objective for information security teams.”
There are a couple of key points in this article that many organizations are challenged with addressing due to lack of expertise. This lack of expertise is either internal with a small team of IT professionals sharing the workload of cybersecurity or relying on an outside firm who predominately focuses on managing IT infrastructure such as servers, desktops, networks and telephony.
It is critical that multiple layers of security controls are deployed and then almost more important to remain updated on current trends and changing threats and vulnerabilities. The security controls that most small and medium businesses have in place are lacking in depth and are outdated in their effectiveness to block attacks.
1. Email Security – Most small and medium businesses have no email security in place. When it comes to a defense in depth strategy, it is critical to have controls in place where the majority of attacks originate. Otherwise, you are left to rely on controls after the attack has been initiated. According to the Verizon Data Breach Investigation Report, over 90% of cybersecurity breaches and incidents originated from an email phishing attack. Most businesses of this size utilize a cloud email platform such as Office 365 or Gmail, but only have some type of spam filtering in place. Spam filtering is not email security and will do nothing to prevent a phishing attack. In addition, since email exposes the weaknesses of your employees, incorporating an employee awareness and training program is essential for every organization. Building a culture around security and empowering your employees be good stewards of your company’s digital assets will go a long way in preventing a successful attack on your business.
2. Endpoint Security – The last line of defense is an organizations’ endpoints (computers and servers). The majority of small and medium businesses are utilizing traditional anti-virus solutions. It is proven every day that traditional anti-virus solutions such as McAfee, Symantec, Trend Micro, etc. are ineffective at protecting computers from the sophisticated attacks today. Every day we hear about companies getting hit with ransomware because it is easy to by-pass these outdated technologies. There are now much more effective technologies that leverage Artificial Intelligence and data analytics to effectively block these new attacks.
3. Vulnerability Management – Most organizations are not running periodic vulnerability scans in their environments. It is critical to consistently patch software vulnerabilities, but you can’t rely on software vendors to notify you when vulnerabilities exist. Best practice it to proactively run frequent scans to identify vulnerabilities and patch appropriately.
4. Encryption – Most computer hard drives are not encrypted. This should be a policy control that is enforced for all computers.
5. Trusted Access – Most organizations do not have multi-factor authentication deployed. If you access systems, either company owned, or cloud based, multi-factor provides a second layer of authentication for accessing critical information. This prevents unauthorized access to personal identifiable information (PII) if login credentials are compromised.
6. Application and User Control – Attackers use either malicious applications or compromise perceived, good applications to launch attacks. It is critical to control and monitor application usage based on the users who access information.
7. SSL Inspection – Over 50% of the traffic on the internet today is encrypted utilizing SSL (Secure Socket Layer). Although this helps keep data safe, it is also a way for attackers to hide malicious activity. It is best practice to have technology that decrypts this traffic and inspects for threats and/or exfiltration of critical data.
CONSEQUENCES – Now that we have addressed vulnerabilities, we will now address how to reduce consequences. There are two important principles to follow on reducing the consequences of a successful attack but must first state that it is important to have a mindset in security that assumes an attacker will get into your environment. Having this type of mindset, forces you to build a plan to reduce the consequences.
The first principle is to segment your most critical assets from the rest of your environment. Depending on where your critical data is, you want to have controls in place that prevents an attacker from getting what they are ultimately looking for. This is often referred to as the “crown jewels”. This can be an organization’s most important data residing in a data center on premise or in the cloud. This can also be an organizations’ highly critical systems, such as heart rate monitors in a hospital or an assembly line in a manufacturing facility.
A new global study based on 500 interviews conducted by The Ponemon Institute on behalf of IBM finds that the average amount of time required to identify a data breach is 197 days…
The second principal is having the correct “Detect and Respond” tools and resources in place to identify an attack as quickly as possible and remediate so no critical damage is done. Most small and medium organizations, along with many larger enterprise organizations, do not have a Security Operations Center (SOC) in place with the technologies and experts to detect and respond to attacks within minutes rather than days or many months. Reducing the consequences of an attack on your business requires quick detection and remediation but is very expensive to build on your own. Partnering with a reputable security organization who can provide these services at a reasonable cost is the best approach for most companies.