Cyberattacks: Forget making them less likely, it’s about reducing the impact of an attack
Professor Carsten Maple, Director for Cyber Security Research, WMG, University of Warwick
Barely a week goes by without news of a cyberattack. The statistics confirm the casual observation that cybercrime is on the rise, both in the number of cases and its financial impact. Following his presentation at the 2018 conference, Professor Carsten Maple talks to us about reducing the impact of a cyberattack.
Building societies might enjoy Software-as-a-service and Platforms-as-a-service, but they certainly won’t enjoy the rise in Cybercrime-as-a-service. A recent Veracode/NYSE Governance Services report found only a third of Chief Information Security Officers were confident their company was secure against a cyberattack; statistics suggest this may be misplaced confidence.
Assessing risk is difficult
Understanding cybercrime risk is important – the problem is, risk assessment isn’t easy. There are tools and guidance for assessing risk, such as Deloitte’s Strategic Risk Management in Banking. However, even following a systematic approach can be difficult in assessing cybersecurity because the risk environment is so dynamic. New attackers are entering the arena continually, armed with new and increasingly sophisticated methods.
Assessing cybersecurity risk is even more difficult
It has been argued risk assessment is of limited use since it requires a business case to protect against something that hasn’t happened yet, and that risk reduction is guesswork at best. Donn Parker argued in 2007 that security risk is not measurable as there are too many unknowns. The frequency and impact of future incidents depend on variables under control of unknown and often irrational enemies with unknown skills, knowledge, resources, authority, motives, and objectives—operating from unknown locations at unknown future time. Furthermore, quantifying business impact with no precedent is difficult. He also notes correctly that threats evolve over time, therefore so do risk assessments. Notwithstanding this, there isn’t reason enough to abandon undertaking cybersecurity risk assessments.
To assess cybersecurity risk more effectively, requires adopting a ‘threat modelling’ technique: Identify the security threats, understand where the greatest risks lie, then implement targeted mitigation.
A threat actor will exploit a vulnerability dependent on a number of factors: motivation, skill and resources. They then must have the opportunity to launch the exploit. Successful exploitation depends upon the difficulty for the vulnerability to be exploited.
Therefore, threat modelling considers the identity of the threat actor: a state-sponsored attacker, organised crime circle, disgruntled former employee? Then the motivation: financial, political, revenge? This provides insight into who might attack, why and their capabilities and challenges, indicating the likelihood of a successful attack. An impact assessment is then conducted. Security risk assessments require input from across the organisation to be effective – not just the cybersecurity department or consultant.
Managing cybersecurity risks
It is possible to manage risk through ‘Avoidance, Reduction, Contingency, Transfer and Acceptance’. A new or improved firewall, intrusion detection system or staff training are common methods of reducing the risk of a cybersecurity breach. They can help reduce the likelihood of an attack, however, may not be the most efficient or cost-effective approaches.
Cybersecurity breaches will happen
Whilst work to reduce cyberattack likelihood is common, far too little attention is being paid to reducing impact.
The 2017 ‘Wannacry’ attack brought significant negative publicity to the NHS. We should not have been shocked that they were breached, but the impact of the attack was an issue. Had risk management involved reducing the impact of a similar attack, the consequences would have been far different.
Risk management to reduce cyberattack impact is much more complex than reducing likelihood, but it can be advantageous. The impact approach requires more investigation, and in order to reduce the cost of implementing such countermeasures, we need to build systems and processes with breach in mind. We need to anticipate that even with the best efforts, breaches will occur. Systems need to minimise impact, and be designed for recovery.