Tips to strengthen your cyber risk management

Successful cyberattacks are happening more frequently: fact. As a result, cyber insurance premiums are up 32% with pay-out rules stricter than ever. Insurers are pushing particularly back hard on claims where companies aren’t doing enough to manage risks for themselves.

Risk management is essential; as important as locking your car when you park it. How many insurers would pay out if your unlocked car was stolen? So why do businesses have such a blind spot when it comes to managing cyber risks?

Cybercriminals get inside first, then decide what kind of target you are. The biggest problem is one of perception. Most businesses either think they are not a target or assume their antivirus or fi rewall gives them more protection than it does.

Cybercriminals rarely select their targets before launching an attack. In fact, the absolute reverse is true. Attacks are almost wholly automated, extremely sophisticated (often polymorphic or fi leless, meaning they have no signature for standard antivirus to detect) and relentless.

Automated attacks are little battering rams that don’t stop. Once on your network, criminals look around, get to know you and decide your worth. We have just seen this exact scenario with a business in the city. The hackers got in, then fi gured out who the business was and the ransom they were likely to pay. If a big bank is hacked, the ransom will be millions. A smaller business might be asked for £50,000. The point is the hackers will gain access then decide ransom amount, making everyone a target.

Another popular misconception is that hackers are kids in hoodies, not to be taken too seriously. Google’s Threat Analysis Group (TAG) reported in October that it was tracking 270 government-sponsored threat actors from more than 50 countries. These are governments helping hackers extort cryptocurrency from wealthier countries, creating an untraceable revenue stream.

Now you have a clear view of cyber threats today, here are fi ve tips to help you better manage your risks and reduce your vulnerability to attack.

1SCOPE YOUR

Risk comes in many forms. Start with risks you must mitigate to meet regulatory or compliance requirements. Next come known risks you should mitigate because they are particularly high. Finally, understand your fringe risks; risks that are less likely to impact your business but are still known. Understanding these three levels of your threat horizon will allow you to establish a risk management baseline.

2MAP YOUR

Every organisation has a different risk profi le depending on various factors. A bank’s risk profi le looks very different from a manufacturer’s in terms of technology. However, where the bank carries high risk of fi nancial theft, the manufacturer might carry a higher risk to life if computer-controlled heavy machinery is hacked. Ensure you’ve accurately understood every potential impact and profi led your risk. ❛❛ Once on your network, criminals look around, get to know you and decide your worth. We have just seen this exact scenario with a business in the city. The hackers got in, then figured out who the business was and the ransom they were likely to pay ❜❜

3USE CYBER SECURITY

Make use of cybersecurity frameworks like ISO 27001, NIST, the Centre for Internet Security (CIS) Controls or the UK-based National Cybersecurity Centre (NCSC). They adopt different approaches and carry their own merits. ISO 27001 is very much about policy and process whereas the CIS offers defensive tools and controls against real-world, current threats. The NCSC, on the other hand, is all about practical, day-to-day steps to improve your security posture.

I believe businesses should engage with multiple frameworks. However, if your budget and resources are constrained, I recommend using CIS or NCSC based frameworks for their practical approach.

4THREAT INTELLIGENCE If your IT team is not already subscribed to a threat intelligence service, why not? Combining threat intel with your existing security systems helps contextualise ongoing attacks, showing if you are being actively targeted or just being hit by bots.

Our new head of cyber resilience was phished on his fi rst day – via email that appeared to be from me. This was likely the result of a bot scanning LinkedIn posts for people changing jobs (he spotted it immediately, of course.) This attack was simply looking for weak spots, rather than targeting ITHQ. Threat intel will help you identify real dangers in all the noise. 5 RATIONALISE CYBER

Frameworks can also help you to rationalise your cybersecurity tool estate down. It might feel like ‘more security is better’ but too many tools can, ironically, leave dangerous gaps – not to mention the unnecessary cost of running multiple similar platforms through poor contract management.

A recent audit one of our team carried out at a well-known UK bank revealed 110 different security tools, with many doing the same job. Instead of extra security, things were being blocked and missed by confl icting systems. Aside from paying too much for a flawed system, hacks could still get through.

A final tip would be to include staff awareness training in your risk management. Back to our recent phishing attempt: infected emails don’t open and click themselves. We use a sophisticated email security tool, but the email got through. It was awareness that ultimately stopped the attack.

}}NEXT MONTH’S TOPIC

RATIONALISING YOUR CYBER ESTATE TO IMPROVE SECURITY