Cyber-attacks against organisations continue to be prevalent over the last few years and while there is no shortage of such awareness as reported daily by the global media, cybercrime and its associated multidimensional effects are costing organisations millions of dollars per year in Incident Management activities and cyber-resilience capacity building. Cybercrime is a Global Security problem and continues to be listed in Global Threat Reports like the World Economic Forum (WEF) The Global Risks Report – 2021 & 2022. This implies the need for Global to National to Local Cybersecurity Strategies in the cyber-defence against cybercrime.
Justifiably, no business is safe, and reducing business exposure is very important. The script for compromised and breached businesses are almost always the same and that is, vulnerabilities in the organisation’s governance structures affect its people, process, technology, and service – thereby affecting businesses’ cyber-resilience capacity.
When one talks about reducing organisation’s exposure in the security (cyber) sense, it really refers to reducing the administrative, technical, and physical surface areas (also known as attack surfaces) where an organisation can be attacked by a cyber-criminal – placing data and other critical assets at risk – affecting their confidentiality, integrity, availability, and safety. In essence, the organisation must understand its operating industry’s Threat Landscape which may comprise the following: Email threats, Ransomware attacks, Supply Chain threats, Exploitation of vulnerabilities of applications, databases, networks, etc., just to name a few.
For businesses to improve and develop higher security operating postures in the cyber-defence of assets, the vulnerability profile of assets must be known through risk management activities, where cyber-threats can be appropriately risk-treated by the implementation of risk-based security controls in the administrative, technical and physical domains of the business. The inability to do so could mean cyber-criminals gaining entry into (compromising) the business to install a device(s) and or software, encrypting, damaging, and or exfiltrating data for financial gain (ransom). In fact, in the latter half of 2021 and more so in 2022, cyber-criminals started the criminal profile of shaming businesses to cause reputational and other forms of organisational damages when the ransom is not paid – especially in heavily regulated or high-profile industries. These are some of the well-known activities of cyber-criminals.
The first venture for a business in the application of securing and protecting its assets is to implement a Risk-based Cybersecurity Asset Management Program, where the discovery of all assets is one of its major activities. This employs prodigious collaborative efforts at all levels of the organisation to gather, identify and document all assets that can be at risk due to threats that can cause organisational damages. The asset can be classified as organisational, people, process, technology, and service. It must be noted for the program to be risk-based; all activities are led by a comprehensive Automated Cyber & IT Risk Management Program (C/ITRMP).
Secondly, once all assets have been discovered and classified, the risk impact on the business should be well understood and known by all stakeholders. This clarity can only be gained by understanding each asset’s vulnerability profile and associated threats pertaining to the operating industry – attained from threat intelligence reports. Reaffirming, all derivatives from the C/ITRMP.
Lastly, knowing the risks to your business implies a great level of understanding of your attack surfaces for risk management. Explaining carefully, the controls put in place to reduce cyber-risks can be more of cybersecurity awareness training; designing and implementing effective and efficient policies; frequent penetration testing on applications and networking infrastructures; red team ethical hacking on the organisation, people, process, and service; certified training of personnel, etc.
Cybersecurity is an Organisation Strategy owned and operated by the executive teams and it is not an IT Strategy IT is responsible for.
In conclusion, once the organisation understands its assets’ vulnerability profile, it will be in a better position (risk-aware) to strategically secure and protect those assets (the organisation, its people, process, technology, and service) from cyber threats due to its high operating security posture. This optimised security maturity level also implies that the organization will have a high cyber resilience against sophisticated cyber-attacks from cyber-criminals, due to the institution of risk-based security controls operating at high capabilities levels.
The following article was also published in Barbados Today – #BTColumn – Preventing data breaches: Managing organisations’ cyber assets – Barbados Today