Facing a riskier world: Get ahead of cyberattacks, rather than responding after the fact

Today’s complicated threat landscape leaves security teams grappling with new challenges on a scale never seen. Threat actors are more organized and efficient, leveraging a vast ecosystem of tools and services that cater to experts and beginners alike. In early March, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning of the resurgence of Royal ransomware with new compromise and encryption tactics used to target specific industries, including critical infrastructure, healthcare and education.

Cyberattacks are only increasing and growing more destructive, targeting supply chains, third-party software, and operational technology (OT). Gartner predicts that by 2025, threat actors will weaponize OT environments successfully to cause human casualties. This is happening at a time of increased technology adoption led by accelerated digital transformation efforts, hybrid work and the Industrial Internet of Things (IoT) boom, leaving security teams to manage an evolving and growing attack surface and multiplying vulnerabilities.

27 percent of all executives and 40 percent of chief security officers say their organizations are unprepared for today’s rapidly shifting threat landscape, making it clear that it’s time for a new approach to cybersecurity strategies. Today’s modern organizations must flip the narrative on reactive strategies and turn cybersecurity into an effective process that will proactively identify and reduce risks.

Where is your organization on the risk-based approach maturity curve?

To combat these growing challenges, 43 percent of organizations across various industries have adopted a risk-based approach to cybersecurity. A study examined where specific industries land on a risk-based maturity curve -- evaluating how advanced organizations are in adopting the essential strategies that make a risk-focused approach.

Broken into beginner, intermediate and advanced segmentation, the study showed most industries are only beginning in their journey of a risk-based approach. The same study found that:

• Every industry is in the beginning stages of adopting exposure analysis, the ability to visualize and analyze networks to provide full context and understanding of an attack surface.
• Only 31 percent of public sector organizations have adopted a risk-based approach, the industry low, while at the top 58 percent of insurance organizations have adopted this approach.
• Financial service organizations are just starting to embrace risk-based strategies beyond vulnerability assessments. This involves analyzing and prioritizing efforts to address security issues by considering factors like Common Vulnerability Scoring System (CVSS) severity, exploitability, asset importance, and exposure. Currently, 50 percent of finance companies are in the early stages of implementing this approach.

While 48 percent of organizations with no breaches took a risk-based approach to their security programs, it’s clear that many industries still have progress to make in their journey. Security teams that depend on traditional approaches to cybersecurity are falling behind as threats and pressure increase. While today’s threat actors are moving more quickly to exploit vulnerabilities, the average time it takes security teams to detect and respond to cyberattacks rose to 280 days in 2022.

Where to start with implementing a risk-based strategy

Organizations must understand their unique cyberattack exposure to take a risk-based approach and focus remediation efforts. Security teams must have visibility and context of their attack surface to understand what vulnerabilities can cause the greatest impact if exploited.

While there are many moving parts to a risk-based approach, a study conducted by ThoughtLab found that organizations should look to prioritize these strategies to identify, prioritize, and manage all risks:

• Exposure analysis: By conducting exposure analysis, organizations can identify exploitable vulnerabilities and correlate data within an organization’s network configurations and security controls to determine where cyberattacks pose the highest risk. This strategy determines the attack vectors or network paths that could be used to access vulnerable systems.  
• Risk scoring: Cyber risk scoring gives organizations an objective measurement for evaluating security posture that considers a range of risk factors, including the financial impact of a critical asset going offline. Risk scoring allows organizations to quantify the cost to the business per day if adversaries compromise systems.  
• Vulnerability assessment and prioritization: This strategy allows organizations with complex environments and limited resources to zero in their effort where it matters most by prioritizing vulnerabilities that pose the most risk. Vulnerability assessment and prioritization can automatically consider threat intelligence, asset context, and attack path analysis to determine severity.

The impact of taking a risk-based approach to security is monumental, with the potential to save an organization millions of dollars per year and prevent reputational damage, loss of customer trust and company morale. The same ThoughtLab study also found that organizations excelling in risk-based management saw fewer incidents and material breaches than others.

Implementing these strategies for CISOs and security leaders can improve the alignment of security priorities with broader business goals by helping leaders become more strategic in their views and outcomes. Armed with true visibility into their attack surface, security leaders can make a powerful business case and clearly communicate the organization’s risk exposure.

Photo Credit: Olivier Le Moal / Shutterstock

Alastair Williams is Vice President, Worldwide Sales Engineering at Skybox Security.