Recognize the Threats, Part 2 - Book ExcerptPart 2 of a Chapter of the New Book 'Heuristic Risk Management' by Michael Lines
Learn about an effective approach for setting up a risk-based information security program from CyberEdBoard executive member Michael Lines.
Michael Lines is working with Information Security Media Group to promote awareness of the need for cyber risk management, and as a part of that initiative, the CyberEdBoard will post draft chapters from his upcoming book, "Heuristic Risk Management: Be Aware, Get Prepared, Defend Yourself." The last excerpt we published is Part 1 of the chapter "Recognize the Threats."
Recognize the Threats
In this blog post, I will discuss the four remaining threats. Damage, Espionage and Sabotage are first order threats, in that the threat actors discussed in the chapter "Know Your Enemy" are directly behind them. Infractions are a second order threat, because of the likelihood of harm occurring to the business as a consequence of the first order attacks, including lawsuits, fines and sanctions, not to count customer loss and share price impacts.
Damage is the reputational harm that can occur from an attack.
This can either be because of another attack, such as theft or extortion, or it can be the direct intention of the attacker, typically hacktivists, to embarrass the company.
Website defacement, which is a common tactic of hacktivists, is an example of cyber-driven reputational damage. While it may cause little direct harm to the company operations or the information that they hold, the fact the attackers can successfully carry out the attack calls into question the effectiveness of a company's security program and any assertions they have made to their customers about it.
Infractions are failures to follow either contractual, industry or regulatory requirements related to cybersecurity and privacy.
These consequences can include lawsuits, fines, and other sanctions.
Examples of infractions include the lawsuits that are inevitable when any large data breach occurs. These can come both from directly affected consumers and from shareholders who will sue because of the impact that the incident has had on the company's share price.
Regulatory fines and actions can range from private actions when industry standards such as PCI are violated to government sanctions when privacy regulations such as GDPR or HIPAA are violated. The fines that can result from these privacy-related events can be significant.
Espionage is spying and information theft, mainly for nation-state purposes but also for corporate purposes.
In corporate espionage, nations - or companies - spy on each other to gain trade secrets or some other competitive advantage.
Nation-states are the primary actors behind espionage, with Russia and China being the leaders in the theft of U.S. intellectual property to support their military-industrial efforts.
Sabotage is the attack on a company or a nation's infrastructure to cause economic or direct harm to the company or nation.
This is not always nation-state driven, as ransomware can also be considered sabotage, especially where those who have introduced the ransomware into a company have no intention of collecting the ransom. They are attacking the company strictly to do damage and disrupt their operations, using ransomware as the means of attack.
Any organization that is in a critical infrastructure industry has to be on guard against cyber sabotage. Size is not a factor: From the largest power distribution network down to the smallest local water treatment center, all are at risk.
Now that you know the consequences of attacks that you are likely to face, it is time to pick those that are more likely to occur based on your company and industry, and that are the biggest concerns to your board and leadership.
Considering the epidemic of ransomware occurring across all industries and government agencies, extortion is likely to top the list for any company, however, the rest are more nuanced. A good way to develop the ranking is to hold meetings with the stakeholders involved, explaining the options, providing examples, and then asking them to rank the options from most concerning to least concerning.
Don't worry about the exact ranking order. It is better to take the eight threats and order them into two groups - the ones you are most concerned with and those you are less concerned with. The first group of consequences is what your information security program should be focused first on preventing, and as you evaluate controls, keep these top of mind in terms of the control's ability to mitigate these threats.
Once you have explained the concepts of cyber risk in terms of business threats, some executives will order you to ensure that all these threat actors are countered. If this is the case, you need to remind them that while countering all the threats is the intention, the order that you do so should be guided by mitigating those that are most likely and impactful first - in other words, those that represent the highest risk to the organization.
CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Michael Lines is an information security executive with over 20 years of experience as a Chief Information Security Officer, or CISO, for large global organizations, including PricewaterhouseCoopers, Transition and FICO. In addition, he has led several advisory services practices, delivering security, risk and privacy professional services to major corporations. Lines writes, blogs, speaks at conferences and webinars, and provides interviews on a wide variety of information security topics, primarily concerning what it takes to develop and run effective information security programs and why so many companies continue to suffer security breaches due to ineffective risk management.