Despite economic setbacks affecting companies and individuals across the board this year, the Enterprise Strategy Group reports that 65% of businesses plan to ramp up spending on cybersecurity.
There is a laundry list of reasons behind the push for more cybersecurity.
To start, every business is vulnerable to cyber threats.
This has always been the case, but with the number of successful attacks at an all-time high, more and more organizations are taking the threat seriously.
Despite this, a report from Mandiant shows that 67% of companies believe their leadership does not appreciate the full scope of cyber threats.
Sadly, this appraisal appears to be correct.
Cyberattacks are more dangerous than ever, and the only ones who seem to know it are the cybersecurity experts and those who have already been hit.
If this is correct, it means that 67% of organizations are making decisions ignorant of an active threat.
In light of the data on recent cyberattacks, this is like playing soccer on a minefield.
According to Forbes, the average downtime from a ransomware attack in 2022 was 21 days.
Ransomware attacks alone cost businesses a rough total of $456.8 million in that same year.
That's a 40% drop from the number of ransomware attacks in 2021.
That means ransomware alone is strong enough to take a 40% hit and still take in hundreds of billions.
There is little doubt that the tactic will regain strength over the next few years.
According to the Ponemon Institute, data security threats from insiders increased by 44% in 2022.
While it's true that not all insider threats are malicious in nature, they can still be costly.
The Ponemon Institute further asserts that these same insider threats, malicious or not, have cost businesses as much as $15.4 million in total.
What’s more, it takes an average of 85 days to contain these kinds of incidents.
Finally, the experts say there is reason for companies to be more vigilant in their dealings with vendors.
It’s recommended that businesses expect more transparency from their vendor partners, especially as vendors push for more automation in their regular functions.
In July 2023, the Cybersecurity & Infrastructure Security Agency (CISA) gave its report on 121 Risk and Vulnerability Assessments across key infrastructure sectors.
They recommended several mitigation actions against these threats for the remainder of the current fiscal year, which include malware, banking scams, and Barracuda email backdoors.
As usual, these are only the latest and most novel threats.
Precautions for persistent and longstanding threats should always be in place.
However, the rationale for risk management in cybersecurity remains compelling no matter what new threat CISA and similar agencies warn us about.
The fact is that cybersecurity is an ongoing arms race in which attackers and defenders are constantly out-doing each other.
This fact has been known, or at least suspected, since the birth of cryptography.
Cryptography is the use of ciphers and codes to protect information.
In the early days of modern cryptography, during World War I, the technology was relatively primitive compared to today's IT.
Nevertheless, the codes were extremely complex.
However, no matter how complex the code was, it was only a matter of time before it was cracked and the information was decoded and compromised.
In today's world of cybersecurity, the case is the same as it was back then.
The only difference is that machines are much better able to help us make our codes and ciphers more complex and able to run faster.
During WWI, it was all about the intelligence of the decoding teams versus the intelligence of the decoding teams.
Today, it's about the ingenuity of the hackers and defenders, plus the computational power of their machines.
In short, there is no cybersecurity tool, no anti-malware program, and no network security system that can defend against a strong enough hacker forever.
As it happens, this is the reason cybersecurity insurance sales are on the rise.
But it is also the reason why cybersecurity risk management is so important.
“Cybersecurity risk management practices are necessary tools for any organization,” Security Magazine wrote in 2014. “Still, there is no one-size-fits-all answer."
Back then, they were a lone voice in the wilderness.
Today, more leaders are taking notice of the need for these practices.
According to CISA, the most commonly attacked party types are:
Vendors, designers, and developers are advised to follow a secure software development framework, prioritize secure-by-design configurations, and make sure that published common vulnerabilities and exposures are covered by the correct number of common weakness enumerations.
End-user organizations represent the vast majority of at-risk businesses.
For them, CISA asks that patches be made to computing systems in a timely fashion and that endpoint detection tools be used.
Finally, they advise all end-user organizations to consult their software providers about "secure by design" programs.
In cybersecurity, a vulnerability is defined as a weakness that may be exploited by a malicious person.
The most common vulnerability for individuals, businesses, and government organizations is unpatched software.
As every computer user knows, the teams behind almost any operating system (OS) will send out regular updates.
They optimize operating systems to be rather aggressive when it comes to pushing these software updates out.
In some cases, these updates include coding that is designed for the benefit of the vendor of the OS and not the end-user.
However, in almost every single OS update, there will be a hefty dose of the latest answers to the latest threats such as viruses and other malware.
The reason they do this is largely about reputation management.
You can be sure that if the major software companies could compel users to buy new operating systems every time malware took hold, they would.
But, companies like Microsoft decided long ago that it is in their best interest to persistently write code into software updates that immunize user systems against the latest threats.
As stated, software updates can be intrusive and annoying.
But, out-of-date operating systems are the number one vulnerability across all categories.
Because unpatched software is the biggest weakness that attackers exploit, making it a policy to update systems when prompted to by the vendor is a good first step toward effective risk management.
According to Crowdstrike.com, the remaining top vulnerabilities are:
After neglected software updating, misconfigurations are the most significant threat to cybersecurity.
The reason this problem is so pervasive is the fact that there are far more settings to understand and set correctly compared to an automated software update.
Most of the network configuration settings need to be done manually.
This means that to do it correctly usually takes the hand of an expert, making this the first threat vector on our list that comes with an investment barrier.
The next most common cybersecurity threat vector is unsecured or improperly secured APIs.
These are application programming interfaces that let programs share information with each other.
Naturally, this means that their tendency to share information can be exploited.
All a hacker has to do is get his or her own program to ask the API for network information in the proper way.
The way to guard against this is to require the API to receive some form of credential before it will communicate.
This brings us to zero-day vulnerabilities.
These are security flaws discovered by bad actors that are not known to the vendor of the program.
In other words, even if you get that Windows update on time, it will not be able to close zero-day security gaps.
Defending against these takes both strong protection tech and a coordinated response plan after an attack is detected.
In corporate settings where many employees hold network credentials, this is a massive problem.
These weaknesses can be broken through "brute force," meaning the attacker simply tries different combinations until one works.
They can also be defeated through cultural attacks, which are when a bad actor tricks an employee into giving away passwords or effective clues as to what a password may be.
Large companies often give access to a larger number of individuals than is needed.
This amplifies the risk that a credential-holding person will use the access to cause damage to the company.
This weakness can be solved by using a principle of least privilege access model.
This automated protocol gives authorized users access only to the things they need to do their jobs and no more.
To work safely, cloud networks must adhere to the shared responsibility model.
When cloud services are used, the cloud server(s) are responsible for much of the security needs of their clients.
This means that the level of security implemented by your cloud computing service provider equals your level of security.
This is handled by working only with the most secure cloud computing vendors available, and by holding them responsible when they fail.
Up to this point, we've cited examples of what cyber risk management is not.
Namely, it is not failing to attend to the vulnerabilities mentioned above.
But our list of top cybersecurity sins is not comprehensive.
Cyber risk management is comprehensive, and that is an important part of what it means.
It means to do as thorough and complete a job of reducing and mitigating the risk of cyber threats as possible.
So, what does this look like?
For a start, fulsome cyber risk management looks like a company that has covered all the vulnerabilities discussed above.
That is an excellent place to start.
"Cybersecurity risk management is the process of identifying, prioritizing, managing, and monitoring risks to information networks and systems,” according to IBM.com. "Companies across industries use cyber risk management to protect data systems from cyberattacks and other digital and physical threats."
The key difference between cyber risk management and ordinary cybersecurity is the level of comprehensive threat mitigation and the size of the organization seeking to protect its digital assets.
Further, it means using a methodical approach that is well-established and accepted by data security experts.
Let's take a look at that approach.
Most organizations have similar vulnerabilities.
Although, your unique business model, the size of your company, client types, and holdings all affect the scope and nature of your risk.
Once organizationally specific risks are identified, quantified, and measured, they can then be guarded against strategically, prioritizing the most likely and potentially sensitive targets first and foremost.
In the response phase, we put our cybersecurity triage into effect, applying protective measures where needed, and engaging with the appropriate experts to carry out expertise-intensive security functions.
Finally, we persistently monitor the system for known threats, and we may repeat the process each business quarter, or as the company scales up its data assets.
Cybersecurity risk management means doing cybersecurity in a way that is on par with the scope, needs, and unique structure of your organization.
It means using and applying the proper hardware and software.
It also means having a corporate culture of security awareness to guard against cultural attacks.
Finally, cyber risk management means engaging with the right experts to integrate advanced security systems, adjust API settings correctly, and ensure your cybersecurity plan and tools are up to the task of protecting your mission-critical data.
To learn more about how we can help, get in touch today.