Cybercrime will cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015. This explosive growth in cybercrime represents the greatest transfer of wealth in history. Given today’s security environment, cyber risk management is something every business needs to focus on.
Another worrying trend is popping up, too: While cybercrime attacks are growing for all businesses worldwide, increasingly criminals are targeting small and medium-sized companies, largely because it’s a target-rich environment. A full 43 percent of cyberattacks targeted small companies, but only 14 percent of those companies were able to defend themselves.
Not only does a cyber attack disrupt normal operations, it causes damage to important IT assets and infrastructure. It can be impossible to recover without major financial investment. In short, a cyberattack can be a company killer.
What and Where They Strike
Small businesses are struggling to defend themselves. According to Ponemon Institute’s State of Cybersecurity Report, small to medium-sized businesses around the globe are experiencing cyberattacks. The reasons include:
- Insufficient security measures: 45 percent say that their processes are ineffective at mitigating attacks.
- Frequency of attacks: 66 percent have experienced a cyberattack in the past 12 months.
- Background of attacks: 69 percent say that cyberattacks are becoming more targeted.
The most common types of attacks on small businesses include:
- Phishing/social engineering: 57 percent
- Compromised/stolen devices: 33 percent
- Credential theft: 30 percent
By understanding the targets of attacks and consequences, as a business leader you can minimize the potential, gain value in your cybersecurity efforts and even prevent future attacks. For all these reasons, companies and organizations must adopt cyber risk management measures.
What Is Cyber Risk Management?
So much for the doom and gloom: Now let’s talk about how to protect your business.
Companies around the globe use cyber risk management to protect information systems from cyberattacks and other digital and physical threats. Cyber risk management has become a vital part of broader enterprise risk management efforts.
Information technology is critical to carrying out key business functions today, exposing businesses in every industry to cybercrime, employee mistakes, natural disasters and other cybersecurity threats. These threats can knock critical systems offline or wreak havoc in other ways, leading to lost revenue, stolen data, long-term reputation damage and regulatory fines.
While we know these risks cannot be eliminated, it’s clear that cyber risk management programs can help reduce the impact and cost of threats. The right risk management processes can pinpoint critical threats and select the right IT security measures based on business priorities, IT infrastructures and resource levels.
The Elements of Cyber Risk Management
It’s challenging to evaluate cyber risk with total certainty. Companies rarely have full visibility into cybercriminals’ tactics, their own network vulnerabilities or more unpredictable risks like severe weather and employee negligence.
In addition, the same kinds of cyberattacks can have different consequences at different companies. For instance, data breaches in the healthcare sector cost $10.10 million on average, whereas breaches in hospitality cost $2.9 million, according to the IBM Cost of a Data Breach report.
For these reasons, authorities such as the National Institute of Standards and Technology (NIST) suggest approaching cyber risk management as an ongoing process rather than a single event or strategy. Revisiting the process regularly allows a company to incorporate new information and respond to new developments in the broader threat landscape and in its own IT systems.
To ensure that risk decisions account for the priorities and experiences of the whole organization, the process is typically handled by a mix of stakeholders. Cyber risk management teams may include directors, executive leaders like the CEO and chief information security officer (CISO), IT and security team members, legal and HR, and representatives from other business units.
Companies can use many cyber risk management methodologies, including the NIST Cybersecurity Framework (NIST CSF) and the NIST Risk Management Framework (NIST RMF). While these methods differ slightly, they all follow a similar set of core steps. These steps include:
Risk framing: Companies can align their risk management with their overall business strategies. Companies define things such as:
- The scope of the process.
- Asset inventory.
- Organizational priorities.
- Legal and regulatory requirements.
Together, these can help define the kinds of risks they can accept and the kinds of risks they cannot accept.
Risk assessment: Identify threats and vulnerabilities, estimate any potential impacts and prioritize the most critical risks.
- Threats are people or events that can disrupt a company’s IT system, steal information or otherwise compromise network information security. Other threats are cyberattacks, ransomware, phishing or employee mistakes, such as storing confidential information in an unsecured area, or malicious behavior. Moreover, natural disasters such as earthquakes, hurricanes or wildfires can also threaten IT survival.
- Vulnerabilities are flaws or weaknesses in an IT system. This can include a misconfigured firewall that enables malware into a network, or a bug that hackers can use to take over a device remotely. Vulnerabilities can also include lax access control, giving people access to more confidential information than they need to do the work.
- Impacts are what a threat can do to a company, including disrupting critical services that can lead to downtime and lost revenue. Hackers can steal confidential information and hold it for ransom. Impacts can go beyond the company itself, possibly subjecting customers to theft of personal identifiable information, including health information.
By weighing all these factors, an organization can build out its risk profile, and determine how it will respond to potential risks. These responses can include investing in security measures to protect the most critical assets.
Defining the Digital Attack Surface
A company’s attack surface is the sum of its vulnerabilities. Attack vectors are what hackers can use to gain unauthorized access to a network in order to carry out a cyberattack.
Common attack vectors in an organization’s digital attack surface include:
- Weak passwords: Passwords that are easy to guess — or easy to crack via brute-force attacks — increase the risk that cybercriminals can compromise user accounts to access the network, steal sensitive information, spread malware and otherwise damage infrastructure.
- Misconfiguration: Improperly configured network ports, channels, wireless access points, firewalls or protocols serve as entry points for hackers. Man-in-the-middle attacks, for example, take advantage of weak encryption protocols on message-passing channels to intercept communications between systems.
- Software, operating system (OS) and firmware vulnerabilities: Hackers and cybercriminals can take advantage of coding or implementation errors in third-party apps, OSs and other software or firmware to infiltrate networks, gain access to user directories or plant malware.
- Internet-facing assets: Web applications, web servers and other resources that face the public internet are inherently vulnerable to attack. For example, hackers can inject malicious code into unsecured application programming interfaces (APIs), causing them to improperly divulge or even destroy sensitive information in associated databases.
Determining the Physical Attack Surface
The physical attack surface exposes assets and information typically accessible only to employees with authorized access to the organization’s physical office or endpoint devices. These devices include servers, computers, laptops, mobile devices, IoT devices and operational hardware. Attacks can happen due to:
- Malevolent employees. Current or former employees or other users with malicious intent may use their access privileges to steal sensitive data, disable devices, plant malware or worse.
- Device theft. Bad guys can steal endpoint devices or gain access to them by breaking into an organization’s premises. Once in possession of the hardware, hackers can access data and processes stored on these devices. They may also use the device’s identity and permissions to access other network resources. Endpoints used by remote workers, employees’ personal devices and improperly discarded devices are typical targets of theft.
- Baiting. This type of attack involves hackers leaving malware-infected USB drives in public places, hoping to trick users into plugging the devices into their computers and unintentionally downloading the malware.
- Shared databases and directories. Hackers can exploit databases and directories shared between systems and devices to gain unauthorized access to sensitive resources or launch ransomware attacks.
- Outdated or obsolete devices, data or applications. Don’t fall for this oldest trick in the hackers’ arsenal. Failure to consistently apply updates and patches creates security risks. One notable example is the WannaCry ransomware, which spread by exploiting a Microsoft Windows operating system vulnerability for which a patch was available. Similarly, when obsolete endpoints, data sets, user accounts and apps are not appropriately uninstalled, deleted or discarded, they create unmonitored vulnerabilities cyber criminals can easily exploit.
- Shadow IT. This involves software, hardware or devices — free or popular apps, portable storage devices, an unsecured personal mobile device—that employees use without the IT department’s knowledge or approval. Because it’s not monitored by IT or security teams, shadow IT may introduce serious vulnerabilities for hackers to exploit.
- Social Engineering Attack
Another factor cyber risk management must take into account is social engineering. Sometimes called “human hacking,” these attacks target human weaknesses rather than technical or digital system vulnerabilities. Social engineering manipulates people into sharing information they shouldn’t share, downloading software they shouldn’t download, visiting websites they shouldn’t or making other mistakes that compromise their personal or organizational assets or security.
Phishing is the best-known and most prevalent social engineering attack vector. In a phishing attack, scammers send emails, text messages or voice messages that try to manipulate recipients into:
- Sharing sensitive information.
- Downloading malicious software.
- Transferring money or assets to the wrong people.
- Taking some other damaging action.
Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual — a popular retailer, a government organization, or sometimes even an individual the recipient knows personally. This is the second leading cause of data breaches worldwide.
Attack Surface Management
Another element of cyber risk management, attack surface management (ASM) refers to an IT team taking a hacker’s view of an organization’s attack surfaces. With this approach, they continuously monitor the assets and vulnerabilities that hackers see and attempt to exploit when targeting an organization.
Cyber Risk Management: Can BrightDefense Help?
As you can see, there are many ways and places attackers can target your business. If all of this seems overwhelming, reach out to the BrightFlow Technologies team for help. We’re known for our cybersecurity expertise. With our BrightDefense service, we can shield your business from all cyber threats. You can rely on our multi-ingredient “secret sauce” or “cyber stack” of highly sophisticated digital tools designed to send the bad guys packing.
Don’t let cyberattacks threaten your organization or your career. Contact us to see how our BrightDefense wraps a forcefield around your resources and your data from all angles. Reach out today.