• Technical contribution
  • Management, Awareness and Compliance

Digital Risk Management: Four Steps to Implementing Cybersecurity

Organizations are looking at new ways to deal with their heightened exposure online. Here are four steps to achieve visibility into threats and manage digital risks.

itsa 365: Four steps to cybersecurity Digital risk management on the core of cybersecurity 
Digital transformation touches all aspects of the business, and every new technology, connection, or application results in increased complexity. Accompanied by a more acute threat, this transformation frequently leads to the loss of sensitive corporate data, violation of privacy laws, and damaged reputations. It also means that a physical network no longer determines the organization’s boundary; the very data organizations seek to protect is spread across third parties, social media, mobile devices, and the cloud. 
itsa 365: Ten sectors with most frequently breached credentials15 billion exposed credentials: Technology companies affected the most 

15 Billion Usernames and Passwords on Offer 

In fact, Digital Shadows found more than 15 billion credentials in circulation in cybercriminal marketplaces, many on the dark web – the equivalent of more than two for every person on the planet. The number of stolen and exposed credentials has risen 300% from 2018 as the result of more than 100,000 separate breaches. Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere. These incidents put everyone in the organization at risk – from the C-level to different departments and locations down to suppliers, partners and customers. 
 
In order to deal with the heightened exposure their organizations’ digital infrastructure, assets, and accounts face online and fix issues before bad actors exploit them, digital risk management becomes essential. There are four steps to achieving this visibility into digital risks. 

1. What Are Your Critical Assets, and Where Are They?


This first step is, of course, understanding what an organization considers to be their critical assets. This will vary from organization to organization. For a technology or pharmaceutical company, it might be their patents and  intellectual property. For a retail company, it may be upcoming product names and their customer websites. For an investment bank, it might be a pending merger or acquisition. A useful exercise for organizations is to begin thinking about the type of sensitive data you hold, and how this might be appealing to a range of threat actors. From there you can think about the ways adversaries might access this information, and where you might be exposed.


2. What are the Threats to Your Business? 

itsa365: Digital risk management
Adversaries understand the value of this exposure and look to exploit it, but what they target will vary based on the adversary’s motivation and goals. The ability to understand the threat is a key part of calculating risk, and there are a number of factors to consider when assessing it; we need an understanding of a threat’s behavior (capabilities and tactics), motivations, and the opportunities the threat may exploit. The broad discipline of Cyber Threat Intelligence, if executed effectively, can provide useful insight into these threats.


3. How is Your Business Being Exposed?

Data always ends up online. For example, contractors often back up proprietary information on their misconfigured file sharing drives, employees over-share on social media, or developers expose sensitive code on code sites. To give a sense of scale, this is what a typical mid-sized organization finds in one year with Digital Shadows: 290 spoofed domains or social media accounts, 180 certificate issues, 84 exploitable vulnerabilities, 360 open ports, 100 exposed business documents.


4. How Can You Protect Your Organization?

Next, organizations need to find ways to protect themselves against this heightened exposure. There are three ways organizations that we have worked with have mitigated their exposure: detecting data loss, reducing their attack surface and securing their online brand. If risks can be managed at a business level, organizations can mitigate risks at an early stage, take action and protect their company.