28 May

How to Conduct a Cyber Threat and Risk Analysis

Cyber attacks long ago stopped being the stuff of elaborate Sci-Fi movie plots so much so that they cannot even be called isolated events anymore. In 2018, cyber attacks are long-term campaigns by attackers who are honing their mad skills every single day and using a sophisticated combination of social engineering and technical skills to infiltrate your IT network and gain access to your confidential personal and business assets. (Read why your business needs cyber security in one of our other blog posts.) Moreover, as their prowess improves, the number of cyber attack prevention instruments decreases. One anti-malware program won’t protect you and your business from nefarious actions, no matter how good. Now you need an entire cyber security strategy in place.

Cyber security strategies up until now were mainly focused on introducing next in line detective and/or protective products, but this is no longer effective on its own. The new approach suggests an overall cyber security strategy centered on cyber resilience – identification of key business assets (especially those that could be threatened) as well as the motives and capabilities of the most likely attackers. Even if you have a limited security budget – like most small business do – this will allow you to focus those resources no matter how limited on exactly those pain points that are considered the weakest and most probable targets and defending them.

To create a baseline for a threat-led cyber security strategy, you need to perform a cyber threat and risk analysis so that you can form a picture about what is currently happening in cyberspace and which methods the attackers are using. In some cases, this information can be purchased in the form of a threat intelligence feed specific to your industry or sector.

However, before you get your hands on the information, you need to assemble the right staff, one that is able to understand the info, translate it to everyone else who needs to be aware of it in the company and act on it as part of the overall cyber security strategy. If you don’t desire to create such a team in house, you can always use consultants to work alongside key individuals in the company to give you both the information and the analysis. This is an even better option for you because you get not industry-specific, but information specific to your company – pertaining to the way YOU operate, the assets YOU have and how critical they are for YOUR business.

The first step in the process is to establish the likely TARGETS OF A CYBER ATTACK when it comes to your business. Since they may be very specific to your company, the process itself has to be a reflection of unselfish collaboration between teams. Bear in mind that sophisticated cyber attackers infiltrate your network with a specific intent – to gain access to the data only you have that are especially interesting to them.

The value of such information depends on the attackers and their motives. To a nation state attacker, intellectual property is a prime target, while it may hold limited value to a hacktivist group that is targeting your business because their motivation is to cause damage to your brand and reputation. To them, a key asset might be your website content management system, which if compromised, would allow them to publish their logo on your customer-facing site.

When you compile a list of key assets, you should determine where they are stored and who has what kind of access to them. This can cause you nightmares simply because the assets of your company may be – and probably are – stored in more places than you might be aware of and prefer (for example, a server backed up to another server, exports stored on local desktops, a cloud data center out of your direct control, etc.). Moreover, the goal is to have a minimal number of people with access to your business assets, thus lowering the chances of a successful cyber attack (either through an insider attack or an outside attack via a compromised employee’s user account).

Cyber attackers – also known as THREAT ACTORS – have distinct motives and abilities to compromise the assets in their line of sight and specific methods they use to achieve their goals. They are mainly cyber criminals, nation states, hacktivists and insiders – all of whose motives and abilities slightly differ from one another. During the performance of a cyber threat and risk analysis, you will be able to determine which ones, if any, of these could target your industry, sector and business. These threat actors will then be ranked in order according to their motivation, capability and likelihood of them targeting your company, as well as the methods they use, assigning each a value to determine their overall threat to it.

For instance, cyber criminals are primarily motivated by profit and can be highly capable, deploying custom-made malware to penetrate your network. The assets they target will be any valuable data that can be encrypted, especially if they can also encrypt the backups. Their primary delivery method is email phishing, using social engineering techniques to trick staff into believing the email is a legitimate supplier invoice that needs to be paid, or a file attachment that needs to be opened that then encrypts the network with ransomware.

Once you have a prioritized list of key assets and the information about how and by whom they can be endangered, you need to put in place A MECHANISM OF CONTROLS – to detect, prevent and respond to possible cyber threats. It is up to the IT and information security to take the lead on this and compare the controls they are aware of – they already have in place or are planning to – against the abilities and methods used by the threat actors to identify the vulnerabilities in the processes controls.

Some of them may be in the form of a lack of staff awareness training, a weakness in the backup process that means no off-site storage is used, and excessive permissions on key data. (For tips on how to make your employees care about cyber security, take a look at out infographic.)

After it is all said and done, a cyber threat and risk analysis should be a list of recommendations on all the ways a business can address the identified vulnerabilities in order to be better prepared for possible cyber attacks by using the threat-based assessment of the various potential threat actors. These recommendations should also form the basis of a cyber security framework specifically tailored to your business, one that can be used to plan the cyber security strategy and budgeting in a future period.

TLDR: See which of your assets can attract attackers, who the attackers are and how they operate and what you can do to deny them access. Then, unable them to do any harm!

If you, however, find yourself unable to protect your business in cyberspace properly, we are here to lend a helping hand. Contact us today and leave your company in our capable cyber security hands.

 

Share this

Leave a reply