Maksim Kabakou - Fotolia
The challenge for any organisation when defining key risk indicators (KRIs) for cyber security is that it is different for every enterprise. There is no blueprint to use as guidance; no one KRI that is pervasive or generic across all businesses, or even industry sectors, because the variances of what needs to be considered are diverse.
Cyber attacks tend to be launched to either access data held by the company or to disrupt business operations. Not only will the impact of an attack vary by company, but even hacks with similar objectives (such as data gathering), could be attempted in very different ways.
The data held by business-to-consumer companies will be of great interest in data harvesting attacks.
Utilities providers, for example, may hold names and addresses, along with billing details (authorised direct debits or payment card details), for most customers. This could be a very interesting target for would-be cyber attacks because all the information required to make payment is held within the same entity. Retailers may also have payment details stored for their web-based sales channels, potentially along with address details for shipping products to consumers.
Business-to-business companies, however, may not have the same level of consumer data as it is not important for their business. Here, rather than targeting the data, an attack might be designed to result in a digital denial of service (DoS). Again, the severity of this from a business perspective will be heavily influenced by what the business does and for whom.
Critical infrastructure providers may have a core dependency on the smooth running of a country. Utilities, again, may need to generate, distribute and provide gas, electricity or water to a populated area. Clearly, if network operations are compromised, the impact would be severe, potentially on a country-wide scale.
The same could be said for transport providers. As we’ve seen recently, it only took a drone to significantly disrupt the smooth operation of air traffic scheduling. While this may not have been a cyber-driven attack, disruption of the computer control systems would have a similar impact.
KRIs must mirror business-specific risks
These examples give an idea of the very wide range of attacks that could target an individual business. The fact that the attack could be specific for each business model or company is the crux of the issue with defining the KRIs.
Every business needs to understand for itself which type of attacks or risks could affect it most significantly. Only once those risks are identified can a potential detection strategy be put in place to highlight whether the risk is starting to occur. Even then, the way in which an attack could occur will also depend on the structure and setup of the company itself.
The IT infrastructure could be a mix of on-premise servers and applications hosted exclusively in internal datacentres, outsourced datacentres or software-as-a-service (SaaS) applications from external providers. Different applications may also have different security principles applied.
Depending on the data processed by the application (payments), the data held by the application (personal information relevant for the EU’s General Data Protection Regulation), or the processes that the application performs (computer control systems for network management or nuclear reactor temperature sensors), the level of security defences deployed could vary hugely. Significant access restrictions (authorisation and authentication), automated access-driven malware detection, high-powered encryption protocols and firewalls are just some of the options.
Risk insight from organisational reporting
The strategy or combination of strategies in place will govern the level of reporting available to business security managers and, as such, will influence the indicators that can be used to inform whether the risks are being realised.
It could be as simple as having a record of the number of customers submitting data subject access requests. A spike in people asking for information about what data is held and for what purpose could indicate information is circulating, on social media for example, that implies a breach, or that they don’t trust that company. Equally, it could be more advanced such as automatically querying why a dataset that has historically been accessed from a particular computer or location is now being accessed from somewhere different.
From a denial of service perspective, the KRI could be a permanent monitoring of the performance load on a database. The baseline is the usual server utilisation rate; supposing this is 60%, triggering an alert if it gets towards 75% provides an opportunity to take action before 100% server capacity is reached, when no more connections will be possible. While this is not a guarantee that a denial of service attack is being attempted, performance monitoring of application servers could be a useful action to avoid the impact, regardless of the cause.
Organisations therefore have to pinpoint what is critical to their specific business model and map the key risks to it. Once the business risks are understood, the appropriate controlling measure can be deployed to try to safeguard the positive or avoid the undesirable outcomes.
Read more from Computer Weekly’s Security Think Tank about key cyber security risk indicators
- Cyber metrics need to be meaningful.
- Invest in proactive approach to security and digital risk.
- Aim for business intelligence-driven system of risk indicators.
- Five elements of a key cyber risk indicator.
- Key considerations for determining cyber risk.
- Is it true you cannot manage what you don’t measure?