It has become apparent that cyberrisk is a “clear and present danger for all organizations globally.”1 While there are methods to reduce cyberrisk, not all risk associated with cybersecurity can be eliminated. It is vital to understand that cyberrisk is an ever-changing parameter that requires constant analysis and is difficult to quantify.
Not every risk-related cybersecurity initiative results in significant risk reduction. Sometimes small initiatives, over time, have a cumulative effect that significantly reduces risk and costs little for the organization. These small initiatives, when combined with regular cybersecurity due diligence activities, are worth exploring.
Not every risk-related cybersecurity initiative results in significant risk reduction.
There Is Always Risk to Be Identified
So, one has mature, well-funded cybersecurity and their organization has fina good history with audits. Detailed risk analysis projects and business impact analyses (BIAs) have been conducted. Patches are performed quickly, good endpoint management is in place, multifactor authentication (MFA) is required for all credentials, frequent penetration tests are performed and staff are well-trained. Risk levels are tolerable and accepted by the enterprise. In fact, compared to industrial verticals, the organization has less risk than many similar organizations. Does this mean the organization has no risk at all? No, nor does it mean that the enterprise cannot be breached. Such an organization could still suffer considerable damage and economic loss if the right threat actor targeted its network.
The first step to reduce cyberrisk is to understand what sources of cyberrisk exist for an enterprise. No one is immune to cyberrisk. Vulnerabilities and weaknesses (often human) are inherent to networks and the digital world. No matter how much money enterprises spend or how talented their cybersecurity teams are, they can never eliminate all risk. However, organizations should always attempt to do everything possible to eliminate risk, even in the smallest of ways. Slight changes and improvements can have a significant impact.
Staffing Issues Amplify Risk
A proper cybersecurity defense consists of many layers. Some of the layers may change based on tactics. Many layers will come and go over time. Some layers require little time and no additional funding, while other layers may be significant in terms of time and expense. The biggest bottleneck around large projects is sometimes not budget, but rather staffing. Some of the best cyber projects require many people to work for months toward a common goal. Employees may not have the bandwidth to assist with significant, time-consuming projects in addition to their daily job functions. A lack of adequate staffing can increase the time it takes to execute key security improvement initiatives.
Historically, some cyberprofessionals have had good experiences using local college interns to assist with large, cumbersome and resource-intensive cyber projects. It is a win-win for both parties. The college or university is elated to give students a real-world project and the students have a chance to gain valuable experience.
Risk Is Fluid
Just as important as understanding that risk can never be eliminated is understanding that it is a moving target. Risk constantly fluctuates. Organizations often treat risk as if it is stagnant and only needs to be reviewed once per year, particularly in advance of internal or external audits. Once the audit has concluded, reduction of risk, analysis and improvements are not considered until the next audit cycle. In fact, some organizations will not consider making any changes unless the recommended change the result of an audit finding.
In today’s rapidly changing world of cybersecurity, fluidity is paramount. The threat landscape is constantly changing. Ninety percent of an organization’s risk is based on a threat group attacking for financial gain.2 This fact makes the threat landscape remarkably similar even across vastly different industry verticals. For most organizations without trade secrets such as diagrams, formulas, patented information, secret intellectual property, the threat landscape consists of several components:
- Loss of confidential data
- Loss of network functionality and/or web services or ecommerce functionality
- Inability to access the network and/or digital resources
- Reputational and/or legal issues related to compromise of confidential data
Threat Intelligence Is Key
The best way to understand changes in the cyberrisk and threat landscapes is to develop a mindset of seeking to consistently discover methods to develop and improve a cohesive threat intelligence strategy. Developing and maintaining a threat intelligence strategy is one of the most important—and overlooked—layers of a mature cyberdefense.
The best way to understand changes in the cyberrisk and threat landscapes is to develop a mindset of seeking to consistently discover methods to develop and improve a cohesive threat intelligence strategy.
Understanding what threat groups are planning, how they are attacking, and what makes them successful (or unsuccessful) are among the most important drivers for responding to a constantly changing threat landscape. Essentially, when one understands that the threat landscape is constantly evolving, they can comprehend that financial gain drives the majority of all attacks and use threat intelligence to build a strategy on small changes to proactively defend against tactics that are being utilized by threat groups in real time.
For example, consider a financial institution that receives threat intelligence daily from multiple sources. The institution receives a new piece of intelligence about a threat group that is successfully deploying ransomware targeting other financial institutions. The threat intelligence contains information that can be used to perform countermeasures. For every threat, there is a certain countermeasure that can be initiated. In some cases, the threat intelligence may contain information related to frameworks such as MITRE ATTACK that would allow the target to immediately build countermeasures based on factors such as Internet Protocol (IP) addresses, Uniform Resource Locators (URLs), ports, hashes, heuristics or techniques.
In other circumstances, rapid patching of vulnerabilities can be prompted. Sometimes, cybersecurity staff can block certain information at the email gateway, send end users notifications or provide additional training to staff.
Small Changes Make a Difference
Each threat intelligence bulletin and corresponding countermeasure help reduce risk. Additionally, other minor changes can reduce risk, such as geo-blocking at the firewall perimeter. In 2023, most organizations can block certain countries, based on IP addresses, from sending and receiving packets at the perimeter. Whether a blacklist of geo-blocked countries is short or long, this can have a significant impact when researched and implemented properly.
Another method of reducing risk is an enterprise collaborating with employees to develop manual processes around certain IT workflows so that business can still be conducted when technical resources are not available.
Often, security teams devise smaller ideas to improve alerting, logging and telemetry based on network events. Every suggestion should be considered, no matter how small, to make slight changes (consistently) to reduce risk and mature the security posture of the organization. An effective, mature cybersecurity team should always be encouraged by leadership to find and implement additional layers of defense. In fact, ideas for improvement can be managed as a sort of fun competition.
Conclusion
There are many layers to a good defense that must adapt to constant changes. If an organization fails to update its defenses, it will fall behind and lose momentum. An enterprise should never be in a situation where it makes less frequent improvements than threat groups. If so, it will lose ground to threat actors.
Endnotes
1 Joyce, S.; D. Dobrygowski; F. Van der Oord; “Principles for Board Governance of Cyber Risk,” Harvard Law School Forum on Corporate Governance, 10 June 2021
2 SecureWorks, 2022 State of the Threat: A Year In Review, October 2022
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “How Organizations Can Consistently Reduce Cyberrisk” episode of the ISACA® Podcast.
Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP
Is an incident response principal consultant for Secureworks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures and mechanisms to respond to security events of any size.