Businesses sometimes forget financial and cyber risks are intertwined. According to Gartner’s 2022 Top Risks research, cyber vulnerabilities and ransomware attacks lead a list of potential business consequences, including fraud, financial reporting and accounting, and natural disasters. At the same time, most businesses surveyed did not measure their top three (or five) business risks with an audit or other precautionary measure.
Intellectual property is one of a business’s greatest assets—and one that 82% of companies allow third parties access to. So what should organizations do to protect cyber assets like proprietary data and combat threats probable to their business?
Know your industry
We would recommend gathering information on your industries’ audit and cybersecurity trends. What is your industry already protecting against? What do your business’s audits cover? What is your CFO concerned about? Conversations between IT leadership and finance or risk leadership often divide over perceived differences in priority. Consider, though, the common results of a cyber breach—financial loss, reputational risk, and business interruption. All three overlay IT and business goals, requiring cross-team support to avoid.
To ensure your organization is protecting against the right threat, consider publicly available attack trends from businesses your size, in a similar location, and with comparable business goals. What threat actors were responsible for those attacks? What methods do they commonly use?
Not every threat will breach your business
Before asking which threats could cause cyber and financial mayhem if your business was breached, first assess your business processes. What weekly, monthly, quarterly business routines do you have in place? What would it cost your organization if one or all of these processes paused or stopped completely? Are your business processes connected to technology infrastructure? What state is the technology in?
Know your business
Ascent partnered with a Midwest manufacturing firm facing outdated, on-premises technology vulnerable to malicious encryption, a threat common to their industry. If the business’s factory equipment paused, thousands of dollars from business continuity interruption would be lost.
One step Ascent pursued with the customer was to create an incident response playbook, avoiding process confusion combined with rebelling tech. It’s beneficial for organizations to map BCP (business continuity plan) protocols and assess existing and developed software against potential gaps in your security posture. Do any of the threat actors probable to your industry exploit gaps similar to the ones your organization identified?
Not every threat will consider your software vulnerabilities
Threat intelligence gathered by a Security Operations Center (SOC) identifies which alert patterns your organization should pay attention to. Developing a SOC prepared for data analysis includes active DevOps customization. Your analysts shouldn’t just know how to process alerts, they should know how to prioritize them. Those contextualized statistics support IT budget goals.
Know your threat landscape
Uber, a magnet in the taxi and transportation industry, experienced a data breach in September of 2022. Case forensics detailed an unassuming breach method: social engineering. The Lapsu$ threat actors simply spammed an employee with MFA requests over and over before the annoyed target parted with login credentials, compromising the whole organization. Audits and business risk measurements typically focus on intangibles, measuring important compliance indicators but sometimes devoid of human context.
Consider the threat landscape above the keyboard. Has your organization’s IT implemented two-factor authentication so requests direct employees to a secure code sign-in instead of repeated requests for passwords? Are you equipping your employees with the equipment they need so bypassing network controls to share sensitive documents isn’t an option they consider? Does your company implement easy to understand protocols surrounding data security, phishing, and even spam phone calls?
It’s easy to underestimate the risk and power of social engineering, but often an organization’s double, triple-checked plans fall short through an employee’s honest mistake.
MITRE ATT&CK tracks threats to your business
Ascent assesses threats probable to an organization through data analysis and our industry-specific expertise. We offer a free MITRE ATT&CK MasterClass considering each company’s threat landscape and informing our security advisory and project scope recommendations. For more information, please reach out to MITRE@meetascent.com.