Prioritizing risks in a climate of geopolitical threats

Article in (IN)SECURE Magazine

The cybersecurity landscape has become increasingly hostile in recent years, with a growing threat from common cybercriminals as well as the looming shadow of state-level geopolitical activity. Recent research commissioned by the UK government found that 32 percent of UK businesses have identified a breach or attack in the last 12 months and – it should be noted – many more have likely been compromised but lacked the capability to detect it.

One of the key reasons for the cyber threat landscape becoming more hostile is that the bar for entry into cybercrime has never been lower. There is a growing awareness that you don’t have to be a genius hacker to be a successful cyber criminal, and that even someone with minimal technical skill can go on the dark web and purchase a malware kit and a guide on how to use it.

Cybercrime also presents an attractively low-risk option for a criminal: there is a multitude of tools available for obfuscating identity and location and cases of arrest and trial are few and far between.

Many high-profile breaches were also made possible by businesses making basic errors in setting up their infrastructure and cloud solutions – essentially leaving their doors wide open for even the most unskilled criminals.

Spreading state-level attacks

The cybercriminal community has enjoyed an increasing level of access to more advanced hacking tools. There have been a number of instances of state-level hacking tools being leaked online, such as the set of NSA exploits leaked by the Shadow Brokers group in 2017, which were subsequently used in the infamous NotPetya ransomware outbreak.

It has also become increasingly apparent that nation states sometimes outsource aggressive cyber activity to groups that were previously thought to be autonomous, such as the “Fancy Bear” group that allegedly has ties to the military intelligence agency of the General Staff of the Armed Forces of the Russian Federation (also known as “GRU”).

This means that the average organization is now facing a greater level of attack sophistication and a larger number of potential adversaries. Most companies, however, are still not recognizing this risk.

How big a concern are geopolitical threats?

A great deal of attention was paid to nation-state cyberattacks this past year, particularly activity believed to be orchestrated by Russia’s GRU in relation to the spying and poisoning scandals. China and North Korea have also frequently been accused of aggressive international cyber activity in recent years.

But while we have seen more overt instances of cyber attacks mounted or directed by nation-states, this does not mean that the average organization should rush off to equip itself with defenses against advanced state-level attacks.

Intelligence agencies in most parts of the world are inhibited by significant legislation which bars corporate espionage, and even those without such limitations are still constrained by resources. Launching a targeted, high-level attack requires significant time and expertise, so state-level activity will only be commissioned against strategically important targets.

Unless an individual or organization is involved in terrorism or serious crime or is in some way deemed political by certain actors, they will not be of interest to any intelligence agency. Even Russia, with its history of aggressive cyber activity, has been focused on gaining political advantage over economic gain.

There are some exceptions. China has frequently been accused of orchestrating cyber attacks for commercial espionage, with a recent case involving attacks on universities in possession of intellectual property with military applications. However, rather than using secret state-level exploits, these attackers often use the same techniques and technology we see in common low-bar cyber-attacks.

Prioritizing risks

While the increased prominence of state-level attacks has served to increase awareness of cyber threats, it also frequently leads to skewed priorities that favor preparing for advanced attacks at the expense of the basics. For example, we have been approached by an increasing number of organizations asking about measures such as using military-level encryption to defend their assets from nation-state operatives, but most breaches occur because of basic failures such as weak passwords, exposure to simple phishing and poor patch management.

A common mistake for companies is basing their cyber strategy on perceived threats instead on their actual risk profile. In one instance we spoke with a company that was spending six figures on security annually but, on closer inspection, had left most of its essential data vulnerable.

At the heart of cyber security is risk management. This is the constant cycle of understanding threats and the dangers they present, making a decision on whether to fix issues or live with them, and then moving on to the next threat. While risk management has long been a core business activity, when it comes to financial and strategic issues organizations are still struggling to account for cyber risks in the same way. The complexity and use of esoteric language and unknown acronyms lead to cyber threats still being seen as “other” and not fitting in with the usual understanding of risk.

Getting started with cyber risk management

As with all risk management, the first step in managing cyber risks is to start with the basics. First and foremost, this means gaining an understanding of what the company’s most valuable assets are and identifying the security gaps that might expose them. An in-depth gap analysis will show what the company has done well and where it failed and – most important – what needs to change.

Once this has been established, they can start fixing the issues and closing the gaps. Some vulnerabilities will be near-instant fixes while others may take a year or more. Whatever the issue, the process needs to be highly organized and structured with objectives, deadlines and responsibilities. This process will also help the company understand if it’s investing in the right things and prevent it from wasting money on costly and unnecessary advanced solutions at the expense of basic security hygiene.