Welcome to the latest in my Cyber ROI mini series! In my last blog post, I discussed how an IT or Cyber Security leader can ensure your cyber strategy aligns with your business goals.
In this blog post, I’ll discuss how to assess your threat profile and protect your critical systems to ensure effective cyber security spend.
Who would want to attack my business?
A simple formula to work out what makes you interesting to a threat actor (or a potential attacker) is:
Geolocation + industry + industries you supply to + who supplies to you + customer base/data that you hold
Threat Actors have a variety of motives – from disruption to financial gain, to blackmail…even espionage! For some attacks, your business may be a gateway into a larger organisation. For instance, in the Target cyber attack as far back as 2014, Target was breached via network credentials from its HVAC supplier. Once inside the network, the attackers were able to upload card-stealing malware onto a number of cash registers. The breach exposed approximately 40 million debit and credit card accounts in just under a 3-week period.
The HVAC system supplier may have thought, “who is going to attack me?” However, as they supply to large retailers, they are part of their ecosystem of trust, and therefore a potential target. A sophisticated attacker may have considered them to invest less in cyber security than Target with an almost £60 billion net worth. This is why understanding your supply chain; both who you supply to and who supplies to you are important aspects of understanding your threat profile. Only once you’ve established your threat profile can you think about effective cyber spend.
What are my critical systems?
If we think about the data that we hold that is of interest to an attacker, we will likely come to a list of critical systems that hold that type of data. If your business holds payment card information or PII (personally identifiable information), these systems may be part of that critical list.
However, an attacker’s motives can be as simple as disruption – so we need to also think of what systems your business needs to trade and operate; these also make up your critical systems.
In line with what your adversaries want, i.e. their motives, and your critical systems, if you map from the external boundary of your business to those critical systems, how are those accessible? Consider the following:
- Do you have public-facing IP addresses or are they hidden behind content delivery networks, such as CloudFlare?
- Do you have an Application Proxy or a VPN?
- Do you have Remote Access software/load balancers/gateways?
- For your internal networks do you have flat networks without any segregation or routing protections? Or do you have segregated network controls such as firewalls or routers? Or maybe VLANs?
- Where is your external infrastructure hosted? Is this cloud-based, in a datacentre, a home network or an office?
- Do you have the same locations for your internal infrastructure?
- Do you have any infrastructure or services that are hosted by third-party vendors/suppliers?
- What protections do you have in place for those systems, networks and data? Would you know if they were accessed without authorisation?
Once you have mapped out your infrastructure and your systems, we will look to test those boundaries. You can use either your internal team or an external consultant to test those boundaries. Ensure you have authority to test internally, but without letting your teams know that a pen test is happening, you will try and access those critical systems one by one, and see if your technology, your people or your processes pick up an unauthorised attempt.
You need to document everything that happens, as this will be a critical part of your review process.
Assessing your technologies for effective cyber spend
There are more important questions you’ll need to ask yourself. We never said it was easy!
- Which systems picked up unauthorised access?
Once access was made to one system, was this able to be leveraged to other systems? - Are there network design changes you can make to better secure or separate your critical systems?
- Do you have any duplicate technologies and tools?
- Are there any tools that should have picked up unauthorised access that didn’t? Can these be configured better?
- Is there technology you are already using or familiar with that can help fill your security gaps? Not every security gap will need another new tool; you may be able to get better coverage from your existing tools or vendors who already know your environment.
You may have picked up issues such as outdated software that was able to be exploited and, hopefully, you will have some quick wins or low-cost options to further protect these systems, further ensuring effective cyber spend. One example we have seen is businesses that have expensive EDRs that haven’t picked up attacks, but Microsoft Defender has! Another quick win could be configuring the native security settings in Microsoft or Google.
In the next and final part of this blog series, I will discuss how to assess the People and Processes part of your cyber defence strategy.
In the meantime, if you would like a copy of our Cyber ROI Checklist, drop me a message at via our contact form.
