Over the years, any hiring manager has a core repertoire of key questions asked when interviewing candidates. One of my favorites, when interviewing security engineers and analysts, is to ask about what kinds of threats we need to defend against. The answers of course vary; although I recall one candidate who answered that “we need to defend against all threats,” and went on to attempt to defend his position. No organization can afford to defend against “all” threats and still expect to stay on business. The right answer is that we must defend against relevant threats. Even more specifically, a business must prioritize and protect against threats which are likely to occur, as well as those with the potential to substantially impact the business in a negative way.
Before a business can make any decisions around protecting itself against relevant threats, it is important to understand the types of threats that any business is exposed to in our digital world. Depending on the size and industry of the business, some threats may be more prevalent than others, although threats today fall into one of four general categories:
- Insider Threats
- Cyber Espionage
- Cyber Crime
A brief discussion of these threat types follows:
Almost any business is subject to the insider threat, which includes accidental as well as malicious behavior. A recent study conducted in Europe found that over a ten year period, 57% of security incidents across the study of 350 breaches were caused by insiders vs. an external threat. Even the recent Sony Pictures breach may have had insider involvement.
Any business, regardless of size or industry, will be subject to the insider threat. This reality makes the likelihood of the insider threat high. Also, the impact to the business as a result of an insider breach can often be severe, so the insider threat has both a high likelihood and a high impact and is something that all organizations need to focus on protecting themselves against.
Cyber espionage is good old fashioned spying. I recall back in the eighties, in the movie “Wall Street”, where Charlie Sheen’s character partners with a janitorial firm in order to gain access to offices at night for the purpose of stealing information and photographing documents. Fast forward to today and someone wanting to steal information is most likely looking for digital information, and needs only a keyboard and a mouse to steal data.
The likelihood of a business being a target of cyber espionage depends to some extent on the industry. Certainly, a defense contractor, or a manufacturing business with patent protected designs and documents are prime targets for cyber espionage. However, even a small business can be a victim of cyber espionage.
Cyber espionage is conducted by different actors. In some cases, the perpetrators can be nation states such as China, North Korea, or Russia. In other cases, the espionage could be conducted by competitors seeking to steal intellectual property or gain competitive advantage. Even individuals can be the target of cyber espionage as private detectives can acquire a wealth of information on individuals simply by researching their target online.
The impact and likelihood of the cyber espionage threat needs to be reviewed by the business to ascertain the level of risk. Depending on the business, the likelihood will range from low to high although the impact will often be quite substantial.
Hacktivism can be described as good old fashioned mischief and can range from minor annoyances to more serious incidents. Website defacement committed by pranksters or organized groups seeking to posture a political, or other agenda are examples of hacktivism.
Quantifying the likelihood of a hacktivism threat can be quite subjective. Certainly, the website of a political party is much more lily to be the target of a hacktivism attack that the website of the neighborhood ice cream store. But even the ice cream store can be at risk if a disgruntled customer with the skills necessary to vandalize the website chooses to do so.
Likewise, the impact can vary. Simple website defacement is of course embarrassing, although the impact can potentially be contained. Successful attacks which disrupt an e-business, or destroy data which can have a more substantial impact.
Cybercrime is much like most other crimes and is usually financially driven. Hackers and criminals will gravitate to where the money is and will go after easy targets. Individuals, cloud data, and smartphones are primary targets and criminals often seek credentials which will lead them to increasing payoffs.
The likelihood of being a victim of cybercrime is arguably high for any business, as it is for individuals. Impact also depends upon the financial relevance although for individual proprietors, or small businesses, smaller dollar amounts have a larger impact than is the case with a larger organization. Likewise, an identity theft incident against a sole proprietor can be devastating in impact.
Smaller organizations also need to be aware of, and evaluate the risk of cybercrime as a result of an attack on larger organizations who may be business partners, or important vendors. A single breach against financial data of a large organization exposes customers of the targeted organization to negative financial impact.
Threats against a business fall into four general categories and in each of these areas, a business needs to evaluate the potential threats, and make a judgement determining how likely it is that the threat will occur, and how large of an impact the threat can have to the business if the attack is successful. While there are generic factors which apply to all businesses, each business is unique and needs to make independent value judgements when evaluating their risks. Threats which have both a high likelihood of occurring, and a significant negative impact should be prioritized addressed and mitigated to reduce the risk to the business. No business has unlimited resources to defend against all threats; prioritization is necessary.
– Ted Lloyd, CISM