Businesses should tackle cyber crime by seeking to reduce risk, according to global digital risk and investigations firm Stroz Friedberg.
The reality is that companies cannot plug every potential security hole, but a proper risk assessment will help prioritise investment and plans of action, he told Computer Weekly.
“A risk-based approach will ensure that companies are more resilient, that they will be able to respond quicker to threats that really matter and that networks are properly segmented,” said Berman.
By segmenting networks, businesses can ensure that only authorised employees are able to access appropriate data assets.
Restrict reach of hackers
Segmentation of networks also helps to restrict attackers if they are able to breach perimeter defences because, without the necessary credentials, they will be limited to the segment that has been breached.
“If attackers are restricted in their movement once they are inside a network, it gives businesses more time to respond and limits the amount of damage the attackers can do,” said Berman.
A lack of segmentation is a key flaw that has been identified in the Sony Pictures network, allowing attackers to have free reign once perimeter defences had been breached.
If organisations assume that they will be breached at some point, that helps to further refine the risk-based priorities, said Phil Huggins, vice-president of security science at Stroz Friedberg.
If attackers are restricted in their movement once they are inside a network, it gives businesses more time to respond and limits the amount of damage the attackers can do
Seth Berman, Stroz Friedberg
“Instead of focusing only on building higher, thicker walls, this approach ensures that when fireballs do come flying over the walls, the company has some water buckets ready to put out the flames,” he said.
In this way, organisations become more resilient, in the sense they are better able to deal with breaches, enabling them to better understand the real extent of the attack and bounce back.
“In organisations where the governance of enterprise risk is less mature, cyber risk tends to be treated separately,” said Huggins. “Whereas in organisations where there is a mature risk management framework, cyber risk is part and parcel of that process.”
Address biggest risks first
However, Huggins said making cyber risk part of operational risk is not easy and, consequently, while some organisations do it well, that is not true for all.
“Typically, the people in an organisation who understand business risk very well have no concept of cyber risk,” he said.
Organisations that are handling cyber risk well typically identify what particular cyber risks their particular sector and business are exposed to, said Berman.
“This enables them to identify the most important information assets, underlying systems and infrastructure, thereby helping to prioritise security controls and processes for those assets,” he said.
A risk-based approach enables organisations to identify a starting point that ensures the greatest risks are addressed first.
“Businesses can then decide what risks must be reduced, how much time and effort to spend on doing that, and what risks they can afford to live with,” said Berman.
Assess supplier risk
But organisations must not forget to include their supply chain in their risk assessment because, as demonstrated by the cyber attack on US retailer Target, suppliers can be the weakest link, said Huggins.
Security credentials stolen from an air-conditioning firm that was a supplier to the US retailer were used by attackers to gain unauthorised access to Target’s network.
Managing the information security capabilities of suppliers is difficult, but Huggins said bigger companies should consider helping smaller suppliers to improve their security posture.
“It may be worth considering working with and helping suppliers become compliant with your security requirements rather than relying on their assurances that they are compliant,” he said.
Share security knowledge
Huggins said defenders should also collaborate with industry communities.
“Any company is weaker when it stands alone, rather than sharing information with industry peers about what threats they are facing and what approaches are working well,” he said.
A community-based approach also enables member organisations to share resources and skills as well as threat information.
“Some organisations that are already doing this will put their incident response teams at the disposal of other members of their community when they come under attack,” he said.
Huggins said initiatives such as the UK government’s Cyber Security Information Sharing Partnership (CISP) are the way forward, but pointed out that there is still a long way to go.