Cyber risks: a comprehensive guide and strategies for resilience
The latest cybercrime statistics are what CIO nightmares are made of. According to Accenture’s latest State of Cybersecurity Resilience report, there were on average 270 attacks involving unauthorized access of data, applications, services, networks, or devices per company in 2021. This means an increase of 31% compared to the previous year.
Ransomware attacks dominated the cybersecurity headlines, which isn’t all that surprising, given that one of them escalated into a threat to the national security of the United States.
A quick recap: in May 2021, Colonial Pipeline fell victim to a ransomware heist that started with an exposed VPN password and ended in gasoline shortages across the East Coast and President Joe Biden declaring a state of emergency. And that was after DarkSide, the hacking group behind the fiasco, successfully extorted $4.4 million from the company.
No wonder that discussions about cybersecurity risks are now making their way into boardrooms all over the world. Digging through more than 500 companies’ 2020 earnings reports, Accenture saw a surge in legal (23%), economic (16%), and internal (10%) discussions on cybersecurity consequences in comparison with 2019.
In this article, we’ll take a deep dive into what type of cyber risks to look out for in 2023, how to tell if you’re exposed, and what tools and best practices can help you build resilience against data breaches.
What is a cyber risk? Definition and what it means for you
The National Institute of Standards and Technology at the US Department of Commerce, or NIST, defines risk in information security as the “risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.”
In other words, it’s a risk inherent in our dependency on systems and resources that exist in or are connected to cyberspace – which means two things.
One, no one’s immune to it. The rise of cloud adoption, mobile technologies, WFH and BYOD initiatives as well as third-party solutions and software-as-a-service have opened the floodgates for new and evolved cybersecurity risks. Second, the answer to the question “Who should be responsible within an enterprise to manage cybersecurity risks?” should be a resounding “everyone”, in and outside of the IT department.
Threat, vulnerability and more: the key components of cybersecurity risk
You can’t fend off risks you don’t know about. A comprehensive risk analysis will not only provide you with a holistic view of your organization’s privacy and security risk exposure but also allow you to better prioritize risk mitigation efforts and focus resources on protecting high-value assets. The so-called TVC (Threat, Vulnerability and Consequence) method is a reliable, framework-agnostic way to identify, calculate, and mitigate security risks based on the evaluation of threat sources and events, the level and likelihood of asset vulnerability, and the impact of potential asset loss.
In the first step, threat identification, a set of security scenarios is defined. This is followed by consequence assessment, where the losses that might occur in each scenario are calculated, then likelihood assessment, where the probability of the identified scenarios coming to fruition is estimated. Step four is vulnerability assessment, which aims to determine the probability of all defense measures failing in the security scenarios examined and the attack being carried out successfully. Risk emerges at the intersection of these components, meaning: risk = threat + consequence + vulnerability.
Employees, hackers, vendors: common risk indicators and factors to consider
Determining cybersecurity key risk indicators for your organization is crucial to monitoring and controlling cyber risk. According to TechTarget, a key risk indicator (KRI) is a metric that measures “the likelihood that the combined probability of an event and its consequences will exceed the organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful.” KRIs are integral to good governance because they enable organizations to keep an eye on changes in their risk profiles and predict harmful events.
Although KRIs widely vary based on company size, location, and industry, there are some common risk factors all organizations should consider. For example, misconfigured servers and outdated software that might lead to exploits; remote and hybrid workforces and BYOD policies that create new points of access but lack extra layers of security to fight off hacking and phishing attempts; and employees, suppliers, and third-party vendors with access to critical data assets but no or insufficient training on how to safeguard them.
From DoS to MITM: the most common cyber risk sources explained
1. Malware
Malware is unwanted software that is specifically designed to disrupt, damage, or gain illegal access to your computer, network, or server after making its way into your system. The most common types of malware include Trojans, spyware, adware, and ransomware.
2. Social engineering
In these attacks, criminals con users into compromising their security by exploiting human weaknesses, such as vanity, fear, or greed, or at the other extreme, curiosity, generosity, or sympathy. Typical methods include spear phishing, spoofing, and whaling.
3. Denial-of-Service (DoS) and distributed denial-of-service (DDoS) attacks
The goal here is simple: to make a machine, service, or network inaccessible to its intended users. The difference between a DoS attack and a DDoS attack comes down to the former being a system-on-system attack and the latter involving a large number of sources.
4. Man-in-the-middle attacks
Here the attacker secretly intercepts and relays messages between a user and the application the user is in the middle of normal communication with. More often than not, the information obtained in these attacks include credit card details or login credentials.
5. Insider threats
This type of threat is especially vicious because the potential “perpetrators” have (or had at one point) every right to access your network. Think: employees, suppliers or clients who are either unaware of your company’s security rules or deliberately ignore them for financial, personal, or malicious reasons.
How to keep your risk exposure under control: 3 best practices
1. Focus on risk instead of maturity
Maturity-based cybersecurity programs, McKinsey analysts warn, are (or should be) a thing of the past. Instead of trying to monitor everything within the organization all at once and building capabilities to support these efforts, organizations should prioritize building the right controls to tackle the most significant threats that target business-critical areas.
2. Find a cybersecurity framework that works for you
There are several cybersecurity risk assessment frameworks to choose from to either get started with or improve your vulnerability management efforts.
ISO/IEC 27001, for example, provides an overarching, flexible framework for managing organizational information security risks. NIST’s cybersecurity framework provides a disciplined, structured, and adaptable process for managing security and privacy risk, from information security categorization and control selection to monitoring.
Besides, most standards, laws, and regulations like the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes–Oxley Act (SOX) that specifically mandate organizations to carry out formalized risk assessments also offer guidelines on how to complete them.
3. Always have a plan – and make sure everyone’s up to speed
Once you have a 360-degree view of your risks and assets, make sure to have a plan for how to keep them safe and recover them in case of a network security incident. Your incident response plan should not only detail instructions on how to handle information leaks, data loss, service outages, or malicious attacks, but also specify who should do what to keep the financial and reputational impact of the cybersecurity incident at bay.
It's just as important to remember that safeguarding your organization against cyber threats is not a one-person – one-function – show. Employee vigilance and training on cybersecurity can make or break your entire defense strategy, no matter how bulletproof it is. Document all your relevant plans, protocols, and procedures and share them with the stakeholders in a way that creates understanding, collaboration, and buy-in among them.
Rising to the cybersecurity challenge: how Tresorit can help
An end-to-end encrypted content collaboration platform, Tresorit empowers you to:
● Make your cloud a safer place with end-to-end encryption of data
Every file and relevant metadata on our users’ devices are encrypted with randomly generated encryption keys. Accessing files is only possible with a user’s unique decryption key that no one else, not even Tresorit, has knowledge of. Meaning that even if our servers were breached, no one would be able to read the contents of your files.
● Stay in control of what happens to your data
Implement data protection measures while collaborating on files, including controlling who has access to what data, logging file activities, and creating internal security policies for data management. No file content can be modified without you knowing about it, thanks to cryptographic authentication applied to all encrypted data in the form of HMAC or AEAD.
● Set up and enforce enterprise security policies in one place
Make sure that everyone on your team is on the same page when it comes to using crucial data security tools and processes. Apply policy templates, including 2-step verification, IP filtering, timeout policies, and sharing policies, to a set of users, create different policies for each template and modify these policies at any moment through a single interface.
● Keep access secure and limited
Monitor and decide which devices are allowed to access which files within the organization and from where users are allowed to log in to their company account to safeguard business-critical documents. Manage files and folders at a granular level, ensuring that they’re only accessible to those who need them, and limit file downloads or revoke access at any time.
Is Tresorit the right fit for your business?