How risk profiling can help prevent cyberattacks [Q&A]
Recent cyberattacks like Volt Typhoon, BlackCat ransomware syndicate, and NuGet serve as stark reminders of the critical importance of monitoring cyber risks as these attacks could all have been prevented.
We spoke to Randy Watkins, chief technology officer at Critical Start, to discuss why organizations must know the difference between cyber risks and threats, and how those enterprises that fail to mitigate against cyber risk will remain reactive, and ultimately fall behind their competitors.
BN: Why is it important for organizations to monitor risk profiles to prevent attacks?
RW: Monitoring risk profiles is essential for identifying and managing inherent vulnerabilities that could be exploited by cybercriminal entities such as Volt Typhoon and the BlackCat ransomware syndicate. This proactive approach towards cyber risk management focuses on the internal and external vulnerabilities present within the organization, rather than just the external threats themselves. Monitoring and managing cyber risks proactively ensure the integrity and resilience of an organization’s infrastructure against sophisticated cyber threats.
BN: Can you expand on the type risks that business leaders should be keeping in mind? What are the most overlooked types of risk?
RW: Vulnerabilities and security posture gaps in an organization's infrastructure represent significant cyber risks, making them more susceptible to cyber-attacks. Some overlooked areas of risk include:
- Unprotected Assets: One critical vulnerability is having assets without endpoint security agents. Endpoint devices (like laptopsand servers) without proper security software are open doors for cybercriminals. Ensuring all assets are equipped with up-to-date antivirus software, firewalls, and intrusion detection systems is fundamental.
- Misconfigured Security Tools and Systems: Misconfiguration of security tools, cloud services, and network devices can inadvertently expose sensitive information or create entry points for attackers. Regular audits and configuration management processes are essential to prevent such vulnerabilities.
- Outdated Software and Systems: Failing to apply patches and updates leads to vulnerabilities that attackers can exploit. Regularly updating software and hardware is crucial to protect against known vulnerabilities.
- Weak Authentication Procedures: Overlooking the importance of strong authentication mechanisms, such as multi-factor authentication (MFA), leaves systems vulnerable to unauthorized access. Implementing robust authentication processes is vital for securing access points.
- Poor Asset Management: Failing to maintain an accurate inventory of hardware, software, and data assets can lead to security gaps. Understanding what needs to be protected is the first step in risk management.
BN: Why is it important for businesses to move to cyber risk mitigation rather than threat protection?
RW: While threat protection focuses on defending against known threats, cyber risk mitigation encompasses a holistic strategy that includes identifying, assessing, and prioritizing risks to implement comprehensive security measures. This shift is important because it acknowledges that not all threats can be prevented. Cyber risk mitigation aims to reduce the likelihood of a threat materializing and mitigate the potential impact of attacks should an incident occur, by identifying vulnerabilities in an organization’s infrastructure before they can be exploited by adversaries. This approach is more adaptive and forward-thinking, allowing for the prioritization of risks based on their potential impact on the business and allows for facilitating the implementation of the appropriate security controls to mitigate those risks.
BN: Could attacks from threat groups like those above have been prevented if risk identifying measures had been in place?
RW: While it's challenging to guarantee the prevention of all cyber-attacks, having a comprehensive cyber risk management strategy in place significantly increases an organization's resiliency to attacks from organized groups and prevent incidents.
For example, a risk assessment could identify unprotected endpoints that could be used by any attack group as an initial breach point, where additional vulnerabilities could be exploited to move laterally and exfiltrate information.
BN: What consequences could an organization suffer if they fail to mitigate against cyber risk?
RW: Just as a threat can have devastating impact on an organization, so can failing to mitigate cyber risk including:
- Financial losses due to operational disruption, ransom payments, and remediation costs.
- Reputational damage that can erode customer trust and affect business relationships.
- Legal and regulatory penalties for failing to protect sensitive information.
- Operational disruptions that can halt business processes and services
- Intellectual property theft leads to competitive disadvantages.
BN: What are the most important steps when it comes to mitigating cyber risk?
RW: Mitigating cyber risk is a complex process that requires a comprehensive strategy, integrating various types of information and action plans. Based on the critical components of a cyber risk management strategy, the most important steps in mitigating cyber risk include:
- Conducting Comprehensive Cyber Risk Assessments: Start by gathering qualitative security information through cyber risk assessments. These assessments, often questionnaire-based, should cover controls, policies, asset inventory, threat and vulnerability management, business continuity, and user awareness training. This step is crucial for identifying the current state of cybersecurity posture and understanding the landscape of potential risks.
- Incorporating Quantitative Security Information: Evaluate the underlying IT source systems, data, and logs to evidence technical controls. This quantitative analysis helps in assessing the actual impact of identified risks, complementing the qualitative insights with hard data on asset inventory, threat, and vulnerability management, and more. It’s important to remember that quantitative information is technical and does not replace the need for qualitative assessments but rather enhances the understanding of cyber risks.
- Understanding the Context of Identified Risks: It's essential to contextualize the security information by understanding where the risk sits within the business, the processes it impacts, and the criticality of the affected assets. Contextualizing risks allows for more targeted risk management efforts and ensures that mitigation strategies are aligned with business priorities.
- Prioritizing Risks and Actions: Utilize an engine or framework for ranking identified risks to determine which should be addressed first. This ranking should consider factors such as the probability of occurrence, potential impact, required level of effort to mitigate, and financial implications. Prioritization helps in efficiently allocating resources to areas where they are needed most.
- Managing the Lifecycle of Cyber Risks: After risks are identified and prioritized, it’s important to manage their lifecycle through mitigation. This involves assigning owners to each risk, setting deadlines, and tracking the status of mitigation efforts. A structured approach to lifecycle management ensures that risks are not only identified but also effectively addressed in a timely manner.
BN: Will taking a reactive approach to risk put enterprises behind their competitors?
RW: Enterprises are continuously adopting new technology to enable business. With this new technology and movement to hybrid and cloud environments, the introduction of new vulnerabilities and gaps in security posture emerge. This cyber risk can directly affect an organization's mission critical priorities. Reactive approaches to security slow down business innovation as security teams struggle to keep up with newly introduced threats with limited resources. A security program that seeks to proactively address risk can enable the organization to focus on strategic initiatives while limiting potential threats requiring response from the security team. Cyber risk management should also include peer benchmarking elements, so that an organization can articulate risk in the framework of answering questions like, 'What are our competitors doing?' or 'This type of attack hit our competitor -- are we protected?' This information fosters company-wide engagement around cyber risk mitigation aligned to business outcomes overall.
Image credit: Weerapat Wattanapichayakul/dreamstime.com