Cyber security is now a board-level risk across the entire spread of industry. However, it is a broad subject with a large number of unknowns, and some might say there's no real way to ever discover or quantify those unknowns.
Unfortunately, this can result in cyber security being poorly understood
and boards vulnerable to being misled by ‘snake-oil’ solutions.
Cyber security is a complex discipline because it straddles the technical and non-technical worlds: malicious individuals are making decisions and using complex technological systems.
In that sense, it is very similar to other forms of analysis we perform in business:
- Someone working in mergers and acquisitions inquires about the objectives of their soon-to-be business partners, perhaps even considering their individual motivations, and seeks to identify any regulatory complications or personal circumstances that might slow down the process.
- A product development executive researches the attitude of the public to the problem their new widget helps solve, and would use this to guide the design and function of a set of complex parts that make up that widget.
- A lawyer gathers all the available information on its clients' position but also puts themselves in the shoes of their opponent to try to work out where actions are or aren't supported by legal stature.
I've been reading 'The Art of War
,' and ancient advice that still rings true are the concepts of 'picking your fights' and 'knowing your enemy.'
While it might seem that this is impossible in the cyber security world – organisations being attacked are rarely on the offensive. You can at least try to qualify what you know about those who might want to do you harm, and pick your best defences accordingly.
There's a common trend amongst the management consulting set for surveys that report on respondent's perception of significant threats to their organisation's information. Some of them have noted a recent perceived trend that the combined threat from external attackers, such as criminal syndicates, state-sponsored actors, hacktivists and 'lone wolfs,' is now more significant than any other threats.
It's a reversal from the common narrative of the 'insider threat,' and I don't agree with it.
I struggle to think of an example of a business that would be an attractive target for all of these four ‘threat actors’:
- Criminal syndicates – operating essentially as a business – are very careful in choosing their targets. They ultimately look for a good return on investment (good, old-fashioned vendettas aside)
- State-sponsored hackers are similarly careful in choosing their targets, considering the potential geopolitical consequences (an oft-quoted rule of thumb in central government is that the systems that manage day-to-day citizen life must have no practical use to the attackers, or that they have already been compromised)
- Hacktivists are a complicated bunch, and will support anything from an anti-Government protest to accidentally DDoSing a children's hospital. They are also very reactive and quick to action. If you're doing something that's considered morally or politically sensitive, you might find yourself a target
- The 'lone wolf' hacker is the most unpredictable but it's also worth remembering that they are often personally exposed as a result of their attack. Individuals find it very hard to launder large amounts of money or trade on stolen intellectual property
I think it is counter-productive and frankly bad advice to 'combine' these threats, especially if it comes at a detriment to considering the employee insider threat.
Personally, I would suggest that most organisations who are still trying to make sense of their cyber risk exposure can focus their attention on one of two of these 'external attackers' and receive a significant decrease in their risk exposure.
I'll say it again: cyber security is a complex problem, but that doesn't mean we should overreact. Otherwise, we’re no better than snake-oil salesmen.
Here are my three priority suggestions for boards to start considering their cyber threat model for the business:
1. Look at your information and technology assets, not only from a position of what value they provide to your business but also what value an attacker might see in them.
2. Consider the attackers as ‘threat actors,’ as they might consider attacking your business. Cast the 'net' widely, and invite people from all over your organisation to input.
3. Qualify the threat posed by these groups, and prioritise your defences accordingly. You could start by considering their aims, their inherent capabilities and the specific Tools, Techniques and Procedures (TTPs) they might use.
About the Author: Chris Gunner works as a security consultant for one the of the ‘Big Four’ professional services firms, specialising in cyber security strategy, governance and policy in the finance sector. Starting life as an astrophysicist, he soon got his head out of the stars and into some real work. Chris holds a CISM and ISO27001 Lead Implementer and Auditor. and has consulted in the UK public sector, for supply-side energy clients, and retail / private banking.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock