- 09/30/2020
- Management, Awareness and Compliance
Digital Risk Management: Four Steps to Implementing Cybersecurity
Organizations are looking at new ways to deal with their heightened exposure online. Here are four steps to achieve visibility into threats and manage digital risks.
Written by Coming Soon
Digital transformation touches all aspects of the business, and every new technology, connection, or application results in increased complexity. Accompanied by a more acute threat, this transformation frequently leads to the loss of sensitive corporate data, violation of privacy laws, and damaged reputations. It also means that a physical network no longer determines the organization’s boundary; the very data organizations seek to protect is spread across third parties, social media, mobile devices, and the cloud.
15 Billion Usernames and Passwords on Offer
In fact, Digital Shadows found more than 15 billion credentials in circulation in cybercriminal marketplaces, many on the dark web – the equivalent of more than two for every person on the planet. The number of stolen and exposed credentials has risen 300% from 2018 as the result of more than 100,000 separate breaches. Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere. These incidents put everyone in the organization at risk – from the C-level to different departments and locations down to suppliers, partners and customers.In order to deal with the heightened exposure their organizations’ digital infrastructure, assets, and accounts face online and fix issues before bad actors exploit them, digital risk management becomes essential. There are four steps to achieving this visibility into digital risks.
This first step is, of course, understanding what an organization considers to be their critical assets. This will vary from organization to organization. For a technology or pharmaceutical company, it might be their patents and intellectual property. For a retail company, it may be upcoming product names and their customer websites. For an investment bank, it might be a pending merger or acquisition. A useful exercise for organizations is to begin thinking about the type of sensitive data you hold, and how this might be appealing to a range of threat actors. From there you can think about the ways adversaries might access this information, and where you might be exposed.
1. What Are Your Critical Assets, and Where Are They?
This first step is, of course, understanding what an organization considers to be their critical assets. This will vary from organization to organization. For a technology or pharmaceutical company, it might be their patents and intellectual property. For a retail company, it may be upcoming product names and their customer websites. For an investment bank, it might be a pending merger or acquisition. A useful exercise for organizations is to begin thinking about the type of sensitive data you hold, and how this might be appealing to a range of threat actors. From there you can think about the ways adversaries might access this information, and where you might be exposed.
2. What are the Threats to Your Business?
Adversaries understand the value of this exposure and look to exploit it, but what they target will vary based on the adversary’s motivation and goals. The ability to understand the threat is a key part of calculating risk, and there are a number of factors to consider when assessing it; we need an understanding of a threat’s behavior (capabilities and tactics), motivations, and the opportunities the threat may exploit. The broad discipline of Cyber Threat Intelligence, if executed effectively, can provide useful insight into these threats.