Today’s enterprises face a variety of threats, including nation states, cybercriminal syndicates, hacktivists, malicious insiders, and lone wolf attackers. And all of these attackers have a different end game, and are driven by a range of motives, including ideology, espionage, military advantage and financial gain.
“The risks businesses face today are extreme,” says MJ Strydom, Managing Director at DRS, a Cyber 1 company.
He says risk can be defined as threat times vulnerability times consequence. “This definition can be applied to anything that exposes your organisation to danger. However, when you apply it to information security, the slew of unique threats that have risen from a world of interconnected devices, systems and people, makes risk mitigation more difficult.”
In terms of vulnerabilities, businesses need to look at processes, procedures and technologies. “Cyber criminals are able to launch successful attacks by exploiting vulnerabilities on one of these. Take an insider threat: He or she might know that usernames are made up of the first name and first letter of the last name, or that everyone uses a standard password. They would also have insight into whether or not their organisation is sloppy when it comes to additional security measures. In this way, the process and the technology would be open to exploitation.”
He says the consequence would be the impact or harm done to an organisation should a vulnerability be exploited. “This covers myriad elements. It could be the loss or exposure of sensitive customer data. It could be downtime from damage to, or disruption of, the company network and systems. It could be a plummeting stock price due to loss of customer confidence. There are direct and indirect consequences, all of which end up costing money.”
According to Strydom, this is why it is a good idea to focus on lessening the potential consequences. “To do this, you need to focus security efforts on the data, that if lost or exposed, would cause the most severe impact.”
He says to start by ensuring executive buy-in and involvement. “The push for lowering cyber risk must come from the top, and as such, these individuals need to be involved in all dialogue around cyber security. Press on them the damage a breach could do to the business, not only in terms of losing existing customers, but failing to attract new ones.”
Next, identify and secure the ‘crown jewels’ or most valuable data, that the business couldn’t do without. “This would include any proprietary data such as blueprints and trade secrets. It would also include sensitive customer data such as ID numbers and financial information. It could also include a company’s manufacturing capabilities or how your IT systems work. Focus the majority of your security efforts at this data.”
In addition, Strydom advises to enforce the principle of least privilege, and make sure that only people who strictly need access to that information in order to do their jobs, have it. “Shut off access to any staff who don’t need to view that information, and closely monitor those that do. There are tools and systems available that highlight anomalous behaviours or exfiltration of sensitive data by employees.”
Effective risk management is an ongoing and onerous task, and one that will never be complete. However, it cannot be ignored, as it affects the entire business, and everyone will end up paying the price in the worst case scenario, he concludes.