The security landscape is complex, meaning that decision-makers can, through no fault of their own, struggle to make the best choices for their organisations, says Javvad Malik, Security Awareness Advocate at KnowBe4. He tells us why organisations should use a mix of internal and external threat reports to obtain a holistic view of the threats they’re facing.
While most will implement security systems with the best intentions, it is fairly common to see them spend a disproportionate amount of their notoriously limited budgets on protection against too narrow a selection of threats.
With all the threat information available, it can be difficult to cut through and determine the most significant threats to a specific organisation. Therefore, inadequate security defences aimed at the wrong threats can leave corporations open to vulnerabilities across a range of attack vectors.
Most enterprises rely on data as the foundation for their security strategies. They are notified of threats as they appear in their preferred alerting tool and, almost unconsciously, apply the first band-aid they see. While this works to an extent, the one-size-fits-all approach to security means threats are not prioritised according to how dangerous they are.
Many would suggest that it is more sensible to focus corporate efforts and resources on what presents the biggest threat to daily business operations. Decision-makers should look to invest in bespoke security systems that prioritise protecting the most critical systems first.
Corporations should investigate deploying a data-driven defence model. This uses objective metrics to outline where you are most at threat. It encourages a re-examination of current threat perception models, shifting focus to the root causes of threat instead of individual security incidents.
Root causes can be determined by three main factors: data, relevance and the ability for individual employees to make critical judgements about security. Once an organisation has determined the root causes requiring remediation, teams can then prioritise resources to counter them. This is inherently more efficient than patching every minor threat that arises.
Furthermore, addressing the root problem also makes it easier to weigh the costs and benefits of each security-related decision, making scarce resources go further.
Additionally, threat intelligence reports are a distinctly undervalued tool for businesses wanting to understand risks, vulnerabilities and malicious actors. These reports are traditionally based on empirical research by dedicated security teams, poring through the seedy underbelly of the Internet, hacker Twitter feeds and Dark Web forums.
This helps businesses visualise where they should spend their security budget, instead of blowing millions on white-elephant technologies that offer inadequate protection.
It is no surprise that habitually underfunded attack vectors are exploited most frequently by malicious actors. These often occur as link-based, attachment-based and spear phishing. Decision-makers should also understand the threat of ‘supply chain compromises’.
This is when a malicious actor inserts a compromised link into the description of a video or uploaded onto a third-party app store. While these are techniques favoured by attackers, it is important to note that they aren’t the only threat with social engineering techniques at the core.
Indeed, it is key for employees to understand how threats manifest, in order to reduce the possibility of them occurring. For example, domain spoofing attacks rely on tricking a user into visiting a site which appears to be a legitimate domain. That’s not to say that all the attacks rely on user error. Exploiting public-facing applications, DNS hijacking and compromising websites or apps collectively represent a significant threat, however nowhere near as prevalent as social engineering scams.
If you can divert security efforts into policing external sources of communication like email, SMS, instant messenger, social media and educate your users to be wary of social media-based attacks, you are more likely to prevent almost half of all attacks from organised criminal groups and nation states. This addresses the root problem instead of simply plugging a hole.
Lloyds of London estimates that a potential worst-case scenario of a malicious email could be upwards of US$190 billion, with retail and healthcare as the most vulnerable sectors and manufacturing following in third. Understanding the motivations behind cybercriminals can go a long way towards building an informed, evidence-driven protective strategy that will defend your organisation where it is weakest.
However, not all cybercriminals are individuals after a quick buck. There is a clear distinction between the objectives of cybercriminals and nation-state actors. While criminals generally target the money, nation states are more interested in espionage, spying, or disrupting operations. While attacks from cybercriminals are much more common due to an increase in active criminals and malware as a service, corporations should be wary of any malicious actors.
Data is the lifeblood of most security teams, although it’s often critically undervalued. Data – broad, empirical data – is the most accurate way to identify the root cause of insecurity within an organisation and it should be treated as such. Enterprises should be encouraged to acquire as much data as possible.
External threat intelligence reports can be a helpful tool when isolating attack vectors as they provide a fresh set of eyes. However, while these sources are often invaluable, organisations should not discount the data gathered by internal teams. Many argue this data is even more useful as it’s uniquely relevant to each organisation in its ongoing battle to address the root cause of insecurity.