Devising a comprehensive strategy to protect your organisation from hackers, data breaches and other cyber security threats is complicated.
Not only do organisations need to ensure they’re protected from criminal hacking groups — which might be state-sponsored or something less sophisticated — they also need to account for the actions of their own staff.
While not every staff member plans to get involved in wrong-doing, without proper instructions and policies on how to use, store and transfer data, there’s the risk of information being mishandled, employees inadvertently giving away credentials in phishing emails and much more.
In order to protect against these threats — and if necessary, to act accordingly should they fall victim to an attack — organisations should be taking two things into account: business risk intelligence and cyber threat intelligence.
They may sound similar but there are important differences between the two and by properly applying both, an organisation can go a long way to protecting itself from cyber threats.
What is cyber threat intelligence?
Cyber threat intelligence looks outward, searching for the potential threats to which an organisation should be ready to respond.
According to a report published in association with CERT-UK, good threat intelligence can “turn unknown threats into known and mitigated threats”, in order to understand the threat landscape organisations face and improve the effectivess of their defence.
Cyber security analysts can use the data from their own internal security systems to build an understanding of the threats they face, plus feeds from vendors and other suppliers of data such as SIEM (security information and event management) tools which allow organisations to monitor their traffic and enable security teams to react to incoming threats.
That might mean turning to an outside provider for threat intelligence tools; there are companies that specialise in understanding the behaviour of cyber criminals, the long-term trends and short-term risks which might impact on particular sectors.
Cyber threat intelligence can be developed by harnessing data in the form of threat reports and known cyber attacks, and integrating all this data as an effort to predict what attacks might be coming and to prepare for them — and stop them from being a problem.
There’s also a lot which can be done by examining what can be learned from major cyber events.
Take WannaCry; the global ransomware attack is a classic example of what can happen if patching isn’t taken seriously. While the EternalBlue vulnerability which powered WannaCry’s worm-like spread was leaked in March, Microsoft soon issued a security patch for it.
However, a month later when WannaCry hit by spreading via EternalBlue, it became apparent that many organisations hadn’t applied the patch; the malware went on to infect over 200,000 systems, causing chaos for many businesses.
The lesson here was clear; patching your systems will protect you from many threats even if it is costly and often inconvenient — although it’s clear that not everyone has taken this on board as the EternalBlue vulnerability is still used to power attacks.
In the same vein, organisations that want to keep on top of cyber threats would do well to monitor attacks against others in the same industry — banking trojan malware campaigns, for example, often start with phishing emails designed to look legitimate. If a bank shares information that it has been targeted and other banks take that on board, that information can be used to counter falling victim to specific attacks.
There’s also a much more hands-on way of gathering cyber threat intelligence for organisations that want to be as informed as possible about potential attacks: examining activity on the dark web and other criminal forums for stolen data, or even talk of potential future attacks.
“If you can find out criminal groups are discussing your brand or executives or other assets, it might be as a result of planning attacks and that information can be very useful for preventative measures,” Ruggero Contu, research director at Gartner told ZDNet.
“They can use specialist providers, people who have a very good understanding of specific environments, including specialised government agencies,” he said. “There are also automated ways to scan the web for that as well, so enterprises can leverage these specialist services around the assets they want to be monitored to provide that.”
For Karim Toubba, CEO of Kenna Security, there’s two main things an organisation needs to consider when thinking about that risk.
“You have to understand all of the threats, what the actors are doing and all of your vulnerabilities — that’s billions of pieces of data to crunch through,” he told ZDNet.
“Then you have to understand the business systems and, if they’re attacked, what the risk is from the business perspective, because a business system that carries the lunch menu is very different from a risk perspective than the system which holds the financial crown jewels”.
What that means is that decisions have to be made about prioritising the protection of certain networks or endpoints, to ensure the most important are protected in order to ensure that if an incident occurs, the risk to the business is reduced.
“You have to galvanise teams to focus on certain behaviour and alter those which are the biggest risks,” said Toubba.
“You want to understand all the systems, applications and endpoints which are vulnerable. Once you’ve done that, you want to map it alongside what attackers are doing in the wild — that way you can get both inside and outside technical risk about what tools attackers are using,” he added.
What is business risk intelligence?
Broadly speaking, business risk intelligence (sometimes shortened to BRI) addresses the broader risks — including the digital ones — facing the business. As such, cyber risk intelligence is likely to be rolled up into a broader business risk intelligence project. While cyber threat intelligence is mostly going to be of interest to a chief information security officer (CISO) or CIO, the impact of business risk intelligence is likely to be felt across the executive suite from the CFO to the CEO.
It isn’t just about technical systems, it covers the broader risks to the organisation as well, which could range from insider threats to the physical security of executives and staff, or the risk of engaging with third-party vendors in the supply chain, or even looking at the risk around M&A deals.
For example, real-world activism — take protesters chaining themselves to fences, for example — can cause a disruption of productivity or even cause a business to be shut down. If an organisation knows that a protest like this is going to take place, they can alter business operations to ensure employee safety.
Communicating the broader implications of security weaknesses is the key here.
“A major challenge in bridging this gap is that cyber threats mean different things to different parts of the business. The implications of specific threats or non-compliant activities can be unclear to senior management,” Rashmi Knowles, EMEA CTO for RSA Security told ZDNet.
“As a result, if the link between a cyber threat and its ramifications are not clear, the risks to the wider business are lost. If this is to change, security professionals need to translate cyber threats into business risks and this is where business risk intelligence takes centre stage, presenting each part of the business with information in the appropriate lexicon,” she added.
Put simply, those responsible for securing the business should be told the potential implications of a security failure, so the consequences of not acting are properly understood.
“This means telling them not what the threat is but rather what assets are at risk and how their business activities could be impacted, what is the likelihood and ultimately the consequences,” said Knowles.
Innovations such as the Internet of Things will also mean that cyber risks and business risks merge.
“Alongside the convergence of activities and systems, with IoT there’s all sorts of expansion, the perimeter also disappears,” says Gartner’s Contu.
With this, business risk is fast becoming the responsibility of the whole organisation, not just a small dedicated section of the organisation.
“Organisations need to take a business-driven security approach, which encourages all stakeholders to be engaged in the risk conversation, identifying what matters most to them, so threats can be tackled in a way that safeguards what’s most important — whether that’s customer data, intellectual property or another business-critical asset,” said Knowles.
IT, security, application builders, developers, DevOps operations and more: all of these parts of the organisation need to be thinking about business risk on a day-to-day basis — and what they need to think about is constantly changing.
“That’s a critical part of thinking about a risk-based model: it’s not static, it’s not something you have consultants looking at; it should be instrumented and refined over time and changing depending on what you see,” said Toubba, who adds how information on cyber threats should also be continually updated in this way.
“When you think about what attackers are doing, if you can build and continuously update a model of it, you can learn from that and build a predictive model. Think of it like an early warning system, like for the weather,” he explained.
“It allows organisations not just to be reactive, but to be more proactive in future when thinking about cyber risk and business risk”.
READ MORE ON CYBER SECURITY