New Study Identifies Top 5 Global Risks: Cyber Risk Index Part II

Cyber Risk

NIST defines Cyber Risk as the risk of depending on cyber resources, i.e., the risk of depending on a system or system elements which exist in or intermittently have a presence in cyberspace. This risk is measured in nearly every component of your environment, and serves as a sort of catch-all. However, the most common types of cyber risk are derived from the top 5 attack types: social engineering (phishing, spear phishing, etc.), ransomware, botnets, fileless attacks, and man-in-the-middle attacks. The CRI measured how effectively organizations are implementing security controls to prevent the most common attack types, as well as the efficacy of those controls in doing what they are intended to do. In your own environment, this translates to asking yourself, what are our capabilities for detecting and stopping ransomware attacks?...How well are we leveraging them?...How are we mitigating ongoing phishing or social engineering attempts?...How frequent are attempted social engineering attacks?...How are we testing our own posture, and have we improved over time?

Infrastructure Risk

By definition, Infrastructure Risk is the potential for losses due to failures of basic services and organizational structures. Your infrastructure is the foundation on which other systems rely in order to operate properly, including all of your digital business functions. For this reason, failure at the infrastructure level can translate to major losses. Interestingly, the most common infrastructure risk is organizational misalignment and complexity. As mentioned in Part I, outdated data governance policies are often at the root of misalignment or unnecessary complexity. When your organization takes on any new data assets or processes, your infrastructure, data flows, and policies need to be realigned, as well. Otherwise, you may be putting valuable assets at risk due to ineffective systems and strategies to properly support and protect them, or properly facilitate new processes.

Most Common Causes of Infrastructure Risk

The CRI study found that the majority of infrastructure risk comes from 2 primary sources. The first is that the organization’s enabling security technologies are not sufficient to protect data assets and IT infrastructure. The second most common cause lies in visibility, where the organization’s IT security function does not have the ability to know the physical location of business-critical data assets and applications. This could be due to any number of factors, including shadow IT, lack of collaboration between IT and Security Teams, lack of authority for Security Teams to requisition information, internal disorganization, etc. The top 5 specific types of Infrastructure Risks across the globe were found to be:

1. 1. Organizational misalignment and complexity
   2. Cloud computing infrastructure and provider risk
   3. Negligent Insiders
   4. Shortage of qualified personnel
   5. Malicious Insiders

Human Capital Risk

The next cyber risk index we will dig into is Human Capital Risk. Highly ranking internal staff or board members can directly impact your cybersecurity program, so any incongruencies between groups or individuals who understand and prioritize cybersecurity, and those who do not, can put your entire program at risk. For example, if a Fortune 500 company’s C-level executives do not view IT security as a top business priority, you are not likely to get the budget and cooperation necessary to build a robust program that is capable of aptly protecting key assets. Alternately, if an organization’s IT security leader (CISO) does not have sufficient authority and resources to achieve a strong security posture, the program is always going to struggle, increasing that organization’s risk of being successfully attacked. It is not unusual for checks and balances to be in-place around spending initiatives, such as a CISO’s seeking final spending approval from the board of directors. However, giving that CISO the majority of the authority on how to mitigate risks can help prevent the kinds of interpersonal stalemates that often lead to Human Capital Risk.

Operation Risk

The final CRI category explored in the CRI study is Operation Risk. Researchers found that Operation Risks are most often the result of two major contributors:

1. 1. An organization lacks active involvement in threat sharing with other companies and governments. This is important because a cybersecurity professional’s role is to ensure the organization they are protecting is engaged in active, bi-directional threat sharing. For example, Microsoft issues regular security updates to give admins and end users information about the threats they are working to prevent with various features and updates. Since most companies use Microsoft products to support all or some of their core operations, it is essential for users to stay abreast of ongoing threats and upcoming rollouts. If an organization’s products or services are part of supply chains, they have the same responsibility to share and help mitigate threats in an ongoing way. If they fail to inform other users in the supply chain of known risks, or engage in threat sharing, they puts other users and members in the chain at risk, as well.
      
      
   2. A second major example of Operation Risk is the organization’s IT security function lacks security in the DevOps environment. DevOps is defined by AWS as a combination of “philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.” However, if CISOs are not given purview to secure the DevOps environment, vulnerabilities may be missed in the software that can put users and their systems at risk down the line. Additionally, potential threat vectors in the DevOps supporting systems may not be fully secured, allowing attackers to otherwise access and compromise all or part of the DevOps environment during the development process. Implementing best security practices and mitigating controls is best accomplished when IT security teams are given freedom to also secure DevOps.

Negative Outcomes of Operation Risk

Based on the findings in the CRI, organizations with perpetuating Operation Risk can expect to experience some degree of the Top 5 Negative Consequences of an attack:

1. 1. Customer turnover.
   2. Lost intellectual property (including trade secrets).
   3. Disruption or damages to critical infrastructure.
   4. Cost of outside consultants and experts.
   5. Lost revenues.

Poor North American Security Posture Points to Problems in Our Business Culture

The Cyber Risk index measured the difference between the Cyber Preparedness Index and the Cyber Threat Index, or the divide between an organization’s current security posture and their likelihood of being attacked (Trend Micro). Looking at the difference between the 68% increase in ransomware attack rates globally between 2019 and 2020, versus a 156% increase in North America (SonicWall 2021), one has to wonder if organizations in North America are failing at a much higher rate to mitigate the 5 key risk areas defined by the CRI. Looking at the methodology utilized in this study, one sees some clear possible causes. Many of the questions centered around the struggle for internal authority over systems and decision-making, including how well CISOs are supported by their leadership, willingness of an organization to give CISOs the budget needed to protect them, the level of understanding and buy-in boards have into cybersecurity threats and issues. The findings are somewhat sobering for North American companies.

The sooner we are able to educate board members and business leaders in North America on the urgency of investing in protecting their companies from cyber attack, the sooner we will see improvement in rates of successful attack, and a reduction in losses. Canadian companies aside, organizations in North America tend to be anti-regulation in culture, a fact that makes this an appealing place to do business, but which can also leave us wide open to some forms of harm. In particular, when we rely on organizations’ motivation to protect themselves in an area with which most are unfamiliar, we have a problem. The average businessperson’s level of understanding when it comes to cybersecurity tends to be a decade behind, at best. You are likely to hear people associate cybersecurity with “that one time a foreigner tried to get me to send them money,” or “I think someone stole my credit card information one time.” They don’t understand the tremendous implications for their business (regardless of size or industry), and how pervasive vulnerability to attack threatens our very economy. Hopefully, studies like the Cyber Risk Index can serve as a conversation piece to help translate seemingly obtuse technical concepts into plain business-speak, and help increase support for CISOs who are working to secure their companies and prevent losses.

Assessment Questions?

If you have questions about which framework is best to assess your organization’s risk, feel free to reach out to us and Request a Consultation. The True Digital Security Risk Advisory Team maintains certifications and deep expertise across numerous security and compliance frameworks, and we can help you determine risk, build a cybersecurity roadmap, and prioritize next steps in becoming more secure.

Additionally, if you would like to take advantage of a One Hour Complimentary Consultation with a member of our Risk Advisory Team, you can schedule with us here.