Another data breach. CEO fraud on the rise. Phishing of Office 365 IDs rampant. Fine levied for shortcomings in data protection. Zero-day vulnerability exploited in a wave of data breaches. Looking at the news, the CEO or Board member begins to suspect that maybe they should look into this information security thing a little. What do companies need to know about information security and why?
Information security and data protection concern all companies, not just the tech ones. Everybody uses information technology today, so many information security threats, such as malware and phishing, affect everyone who browses the internet or reads the occasional email. In addition to safeguarding their business secrets, companies are obliged to protect the personal data of their employees and customers. However, information security risks are naturally different depending on your organization. To address this, I’ve put together the 4 most important takeaways to consider when it comes to your organization’s information security:
- What cyber threats could our company face?
- How do cyber threats affect our business and finances?
- Who is responsible for cyber risk management?
- How well is your company protected against cyber threats and risks?
These questions are discussed in more detail in Traficom’s guide Cyber security and the responsibilities of boards . However, below you will find my compilation of practical tips for understanding the corporate cyber threat landscape.
What kind of cyber threats can your company face?
Cyber threats potentially encountered by companies can be split into four categories:
- Universal threats to all companies
- Mainly generic threats related to the company’s operations or technologies
- Targeted attacks
- Industry-specific threats
Let’s look at some examples of how these threats can manifest in the real world:
Universal threats to all companies
Cyber threats faced by nearly every company include CEO and invoice fraud, ransomware and for example, large-scale phishing of Office365 or Google IDs. These malicious messages may not even be sent to work email addresses, but employees are made vulnerable by reading personal emails or browsing social media on their work computers as they may inadvertently open a malicious link, download malware or fall for an offer too good to be true.
Mainly generic threats related to the company’s operations
A company could be targeted because of the technology it uses, such as WordPress or Drupal content management systems, the Magento e-commerce platform, or an unpatched operating system vulnerability. In such cases, the attackers have typically found the company's vulnerable web page or information system with an opportunistic search, such as with the Shodan search engine, without actually caring about the company’s line of business.
In some cases, the actual target was something else entirely and the cyber threat to your company is just collateral damage. For example, the company’s services could go offline if its service provider is targeted by a denial of service attack. Of course, interruptions in service can also be caused by human error or, say, weather phenomena. It is also worth noting that you can sometimes have a cyber threat without an attacker. For example, a user can accidentally share sensitive information too freely or add the wrong attachment to an email.
Collateral damage can also be caused by malicious third-party libraries or tools if an attacker has infected the package delivery channel or employed typosquatting, i.e. made malicious libraries with nearly identical names to popular libraries. These methods of attack can also be completely opportunistic. Trust in package management and its potential consequences are comprehensively explained in this article by Alex Birsani).
The objective of a targeted attack is to give the attacker access to a certain organization’s systems or data. Possible motivations include gaining access to corporate secrets or personal data, influencing political decision-making or hacktivism, paralyzing critical functions such as energy production or the water supply, spreading fake news or obtaining financial benefit, either directly or by blackmailing the victim.
Insider or ex-insider attacks are another matter altogether, as they can be motivated by revenge alongside financial benefit. The attackers may also be interested in the company's customers, partners and subcontracting chains, and attack your company through a service provider in what is called a ‘supply-chain’ attack. A recent example of a supply-chain attack is the back door added to the SolarWinds Orion Platform management tool, which permitted the attackers to breach the systems of companies that had installed the tool.
Industry-specific cyber threats
Companies operating in certain sectors may be at greater risk of being targeted by a cyber attack. At-risk industries include the financial sector, energy production, central government and defense, logistics and transportation, social and health care, the pharmaceutical and chemical industries, the food industry, the media, and internet and telephone services. The partners and subcontractors of companies operating in these industries also run the risk of being targeted.
How can we identify which cyber threats are relevant to our company?
Fortunately, not all cyber threats apply to all companies. You can chart your own threat landscape within these four measures:
- Stay aware of the general cyber security situation and the status of you own sector.
- Assess the importance of your information systems and data.
- Chart the threats to your information systems using threat modeling and assess the level of risk.
- Identify threats related to governance and processes and assess the level of risk.
Each item is explained in more detail below:
Threat intelligence provides situational awareness
New vulnerabilities are constantly being revealed, attackers develop their techniques, machine translation becomes more fluent. The field of cyber threats is constantly evolving, and your company needs threat intelligence to keep pace.
Threat intelligence or threat intel can be general in nature, such as observations of an Office 365 phishing campaign conducted in idiomatic Finnish or other local language. Threat intelligence may also be related to technologies used by your company, such as news about the proliferation of Docker malware. An example of industry-specific threat intelligence would be the recent report on targeted attacks against organizations developing COVID-19 vaccines.
Threat intelligence can be technical, strategic, tactical or operational. Technical threat intelligence can consist of information on, for example, malicious web addresses or identifying malware. Strategic threat intelligence focuses on cyber threat trends, giving your company more insight into the types of threats it is most likely to face in the near future. Tactical threat intelligence provides information on the methods used by cyber criminals, among other things. Such intelligence can be used to support system design and the development of cyber attack prevention and identification mechanisms. Operational threat intelligence helps you understand which specific attacks you are potentially facing.
By combining multiple data sources and information on your company’s information security incidents and near misses, you can build a comprehensive picture of the cyber threat landscape and gain an understanding of potential threats to your company ahead of time. Threat intelligence is particularly useful when it is used directly to develop and enhance information security monitoring. It also gives you the opportunity to verify the accuracy of your threat assessments.
Several information security companies publish quarterly or annual threat intelligence reports and provide a variety of threat intelligence services tailored to the needs of individual organizations. Free information on current cybersecurity threats is available on the National Cyber Security Centre’s Cyber Weather website.
Identify critical information, systems and partners
It is difficult to protect something if you are unaware of its existence or importance. Answering the following questions is essential to protecting your company from cyber threats:
- What important information does the company possess? Is any information of particular interest to attackers? Who could benefit from it and how?
- Interesting information includes, for example, business secrets, personal data, customer registers, financial information or the control parameters of industrial processes.
- You should assess the importance of your information from three points of view: confidentiality, integrity and availability.
- What information is critical for your company specifically?
- What are the company's critical information systems?
- A critical information system contains important information, controls important functions or is necessary for the company’s daily operations or service provision. Possible damage to the company’s reputation should also be factored into the equation. For example, a customer register, a purchase order system, company websites and social media accounts or factory process control systems can be critical information systems.
- Which partners, suppliers or customers are critical to your company?
- Is your company a supplier or subcontractor for an organization or in an industry with a high risk of targeted attacks? Could your company be used as a springboard for an attack?
- Does your company use any third-party services or systems through which it could be attacked? How has the security of these systems been ensured?
Threat modeling identifies cyber issues in information systems in advance
Once you have identified your critical information and systems, you can employ threat modeling to chart the information security and data protection threats they pose. Technical security testing can also help you identify acute problems. However, threat modeling can detect latent threats related to processes and practices such as software development or user management.
The idea of threat modeling is to think about what could go wrong, what would the consequences be, and what can you do about it. There are various approaches to threat modeling, such as STRIDE, drawing attack trees and evil user stories. However, more than the choice of method it is important to consider the system diversely from various perspectives and identify the motivations of potential attackers, as well as the error conditions that could damage your business or reputation. You can use Nixu’s Cyber Bogies playing cards to identify attackers and other pests.
Do you control your information security, or does it control you?
As companies are more than the sum of their information systems and management processes, you should take a broader perspective and think about the following:
- Risk management. Are you assessing risks systematically or on gut feeling?
- Observation capability. Do you have tools and monitoring processes for detecting information security incidents, or are they mostly detected by accident? Are you collecting information on past cases and analyzing them?
- Ability to react. Are your employees able to follow rehearsed procedures in the event of a disruption, or does everyone panic and run around like a bunch of headless chickens?
- Information security culture. Is information security a necessary evil, or do employees understand how their actions can have a positive impact on information security? Do you provide continuous, relevant information security training, or just the mandatory, yawn-inducing slides?
- Investing in information security. Are you investing in information security systematically, or only as a last resort (meaning once a data breach has occurred)?
These are not the only considerations to take into account, and you can use tools such as the National Cyber Security Centre’s Cyber Meter to assess their maturity, either individually or as part of a broader survey (only available in Finnish).
It is essential to collect opinions and information on the level of information security from all parts of the company, not just the IT or information management departments. As, the financial administration probably sees the most invoice fraud attempts, the communications or sales departments can be targeted by various phishing campaigns, your app development team may have identified challenges in your technical environments, and facility management can have the most up-to-date information on physical break-in attempts.
This blog post is part of a series on information security and awareness. The previous instalment asked why you can't invest in well-managed information security. The next post will discuss risk assessment.