Cyber attacks are now part of everyday life. The size and industry of the company hardly play a role anymore. However, how one is attacked and whether the attackers are successful in doing so is related to one's cybersecurity measures. Continuous risk assessment is important at this point. Not an easy task for the responsible Chief Information Officers (CISO) these days.
According to the latest Allianz Risk Barometer, cyber incidents are currently the top business risk worldwide. Since IT forms the basis for almost all business processes today, its failure affects all areas of the company. This circumstance puts one or the other CISO in a complicated situation: They are required not only to know about cyber risks, but also to be able to assess the risk they pose. You should ask yourself the following five questions during the risk assessment in order to achieve your goal of secure cybersecurity:
1. Where are our weak points?
There are three types of vulnerabilities: procedural, technical, and human. The first point includes emergency plans that have never been tested and do not work in an emergency. Technical vulnerabilities can be classified according to their severity using the CVSS (Common Vulnerability Scoring System). Human errors are just as normal as technical gaps in cybersecurity. For example, because in a stressful moment you forget to set a password for a new cloud instance or fall for phishing mails. Finding these weak points requires an exchange of information between the different departments and an overview of processes in the IT environment, all cloud services and all systems.
2. How do attackers proceed?
Despite a potentially lower CVSS score, CISOs should not neglect older, lower-priority vulnerabilities. These can be highly attractive to cybercriminals, as they are often much easier to access because they tend to be overlooked or not prioritized in analyses. It is therefore important for the risk assessment that, in addition to the industry and company size - such as a large authority or medium-sized craft business - information about current attacker groups and their approach is also taken into account - including which vulnerabilities they use.
3. How high is my attack probability?
The probability of attack is determined from the factors "current cybercriminal events" and "vulnerabilities discovered" by asking two questions: "Does the size of my company fall within the prey scheme of current hacker activities?" And: "Is there a vulnerability in the company that is currently being addressed frequently?” If the answer to these two questions is “yes”, the risk of an incident is high. It must also be noted that around 90 percent of all cyber attacks are financially motivated and should be carried out with as little effort as possible. In short: companies that offer little defense are more attractive to cybercriminals.
4. What would be the consequences of a cyber attack?
Richard Werner, Business Consultant at Trend Micro (Image: Trend Micro)
The risk assessment and the need for action result from the probability of occurrence and the extent of the possible damage. To calculate both, CISOs should ask themselves the following W-questions about the company's dependencies, security posture and IT infrastructure: What options does a hacker have if he is on the network? How can he move without being detected by internal controls? What controls are in place? What options does the intruder have to access valuable data? What impact would an attack-triggered production shutdown have on customers and suppliers?
5. What does it take to minimize risk?
In order to achieve the desired risk minimization in terms of the probability of occurrence and the effects of an attack, specific measures must be taken. For example, a patch to close a technical vulnerability or the setting or changing of passwords. Larger security measures such as network segmentation become necessary when particularly vulnerable data and assets require protection. CISOs should then regularly check the effectiveness of the measures taken to minimize risk. If you want to save yourself the cost-benefit calculation, you can turn to security manufacturers with comprehensive platforms.
The goal of CISOs: minimize the damage
As security experts, CISOs play a key role in the company. You need to identify the biggest risks and take targeted countermeasures. However, today it is not an easy task to keep track of the highly dynamic IT landscape. The questions addressed help to create a continuous risk assessment, which then results in a proactive security strategy. This is all the more important as cyber incidents are now recognized as the number one business risk worldwide.
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.