The Risk Prioritisation Process in an Increased Cyber Threat Landscape21 May 2020 | Santhosh Kumar
The UAE's Telecommunications Regulatory Authority (TRA) recorded an 11 per cent monthly rise in cyberattack attempts against the country’s federal government entities in March 2020. As per their statement, more than 34,930 attempts were stopped last month, an increase of 3,449 on February's numbers. Fifty-nine per cent of the cases were related to malware, 34 per cent were attempts to exploit systems, and more than 6 per cent were phishing attempts. Refer to the Monthly UAE Security Report (MAR 2020) in TRA website for complete details.
The enforced social distancing rules have pushed most of the organisations towards a “working from home” initiative, asking the employees to perform their daily activities by connecting remotely to the corporate network. Enabling remote connections, especially to networks which otherwise wouldn’t be accessible online, can pose additional risks.
As a result, the threat surface has increased, and cybercriminals are trying to take advantage of the overall situation by strategising their attacks while exploiting heightened emotions like stress and panic.
This has resulted in an increase in cyber threats and the associated cyber threat intelligence (CTI) being generated for organisations’ consumption. CTI contains information about threats and threat actors that helps mitigate against malicious activity. Therefore, it is in an organisation’s best interest to consider intergrading CTI with the risk management process to enable the organisation to take corrective actions based on risk prioritisation.
There are several practical challenges with this integration process because of the time-sensitive nature of the emerging threats. These challenges warrant a discussion around a more suitable approach under unprecedented circumstances when it comes to rethinking risk prioritisation.
Organisations utilise CTI information to mitigate any relevant vulnerabilities within their business environment prior to these being identified and targeted by threat actors. CTI team should first identify any corresponding vulnerabilities within the business environment against the nature of the increased cyber threats. Then, the CTI team should inform the corresponding stakeholders (mostly Information Technology and Cyber Security teams) to fix these vulnerabilities. However, organisations do not have unlimited resources or bandwidth and require some prioritisation to fix those cyber threats that are critical and requiring immediate action.
Organisations might already be using a risk-based prioritisation for the cyber threats arising out of CTI. A risk-based approach to cybersecurity means that risk is above all other factors before making security-related decisions. This approach without considering the time-sensitive nature of these threats would not be very effective. Moreover, a risk-based prioritisation with a time-sensitive approach would enable the organizations to take risk-aware decisions in a timely manner.
This risk prioritisation should be implemented by integrating the threats arising from CTI into the cyber security risk management process. The cybersecurity risk management team should calculate the risk ratings (E.g. High, Medium and Low) for these threats based on their risk management framework (impact and likelihood statements). Refer to the matrix below for a sample risk prioritisation matrix. Then, the cybersecurity risk management team should provide risk-based prioritisation for these threats to the corresponding stakeholders. Finally, the stakeholders should take corrective actions based on these risk ratings and their associated timelines. A risk-based approach to CTI would ensure effective prioritisation of cyber threats and their corresponding mitigation efforts.
However, there are several practical challenges while using a risk-based approach to prioritise CTI. These are mainly due to the time-sensitive nature of these threats. Stakeholders need to take immediate action to mitigate these real-world threats, as threat actors (attackers) are continuously exploiting them. However, the risk prioritisation might unintentionally delay the process of corrective action, as a regular cybersecurity risk assessment should be performed for these threats. Hence, the stakeholders might need to wait until the issuance of the complete risk assessment report to initiate corrective actions. This unintentional delay could be considered critical and even unacceptable, given the time-sensitive nature of these threats. These challenges are elaborated below:
Though these challenges might appear daunting at first look, diligent evaluation of existing processes could provide some valuable solutions. There is no perfect solution for these practical challenges. However, some delicate changes to existing processes could result in an optimal and feasible solution. They are:
With organisations receiving increased CTI about cyberattacks and the associated threats, it will require a method of prioritisation for taking corrective actions. Refer to “Cyber Threats In The Midst Of COVID-19 Pandemic” at Digital14 Insights section for the latest Cyber Threat Intelligence report published in April 2020. The current situation provides compelling reasons to review and enhance the integration of CTI with the cybersecurity risk management process with specific consideration given to the time-sensitive nature of these cyber threats. The above recommendations would be a great start for this enhanced integration process. Organisations can also speak with an external Governance, Risk and Compliance (GRC) consultant to manage this enhanced integration process.
Connect with us