Over the last few years, there has been increasing interest by CISOs and business leaders in cybersecurity risk quantification. Many of the CISOs we are working with are keen to connect security risk to the language of business. In this article, Graeme Payne reviews how cyber risk quantification and decisioning can be used to communicate cyber risk more clearly and accurately to the business, including:
- Pitfalls of the traditional approach to communicating cyber risk
- The shift to cyber risk quantification and decisioning
- Where to start your cyber risk quantification journey
- Why now is the time to start
Cybersecurity risk is now ranked by Global CEOs as the top threat to growth. The increasing digitization of business, expansion of digitized data, and high reliance on technology have created many opportunities for threat actors to attack companies’ systems and data.
While senior business leaders and Boards of Directors intuitively understand that cybersecurity is a key risk, they are challenged to evaluate it in relation to other risks such as credit, liquidity, and market risk. At the same time, security leaders want to be able to communicate risk in business terms.
Understand the evolving roles, skillset, and practices of the CISO in our research report “Recommendations to Address the Security Leadership Talent Gap”
Pitfalls of the traditional approach to communicating cyber risk
The traditional approach to communicating cyber risk has been to use ordinal scales for determining the likelihood and impact of a risk, for example, 1 (low) to 5 (high). Risks are then plotted on a risk grid so that management can visualize the relative severity of the risks facing the organization.
In their book How to Measure Anything in Cybersecurity Risk, authors Douglas Hubbard and Richard Seiersen point out many of the pitfalls of using these techniques. Pitfalls of the traditional approach to communicating cyber risk include:
- Heavy reliance on the subjective judgment of the risk assessor to determine likelihood and impact.
- A greater tendency to inflate risk due to the uncertainty of measurements
- A perception that risk measurements are based on a scientific approach that provides a “placebo effect”
- A lack of evidence that traditional risk scoring and risk matrices improve cybersecurity decision making
- A belief that some elements cannot be measured, or are too few to be representable
Instead, they argue for a more quantitative approach to measuring cybersecurity risk.
The shift to cyber risk quantification
There are multiple approaches and tools available to help CISOs in quantifying cybersecurity risk. Kudelski Security has teamed up with X-Analytics, a leading provider of cybersecurity risk decisioning services. X-Analytics is a patented and validated cyber risk decisioning platform that is changing how executives, boards, and the risk management industry understand and manage cyber risk.
X-Analytics leverages a combination of firmographic data about the organization and historical cybersecurity incident data to deliver financial metrics that enable better cyber risk decisions. Key factors addressed in the model include:
- Inherent risk
- Control effectiveness
- Residual risk
- Loss categories
The model also allows for “what if” simulations to model potential investment returns in evolving the security program.
When to use a cyber risk decisioning platform
The adoption of cybersecurity risk quantification is a journey. In working with our clients, we have identified several use cases for when to use a cyber risk decisioning platform.
Evaluating cyber insurance and self-insurance
The relatively immature nature of the cybersecurity insurance market has resulted in the insurance industry experiencing high losses. Consequently, insurance premiums, underwriting standards, and contract exclusions have all increased. In some cases, organizations are deciding to self-insure their cyber risk.
Using X-Analytics we have been able to help our clients through this decision process and optimize the insurance spending and capital allocation needed to address the overall cyber risk.
Justifying and prioritizing cybersecurity investments
By measuring the amount and range of potential financial impacts resulting from cybersecurity risk, the senior management, Board, and CISO can now engage in a discussion about cyber risk appetite and risk tolerance expressed in financial terms.
Now investments to reduce financial exposure can be considered alongside other investments that generate revenue or reduce risk. Armed with quantified financial dashboards and metrics, the key stakeholders are all using the language of business to discuss cyber risk and return on investment.
X-Analytics provides “what if” analysis features that allow a range of investment options to be considered and measured.
Evaluating a potential acquisition
When a company is considering an acquisition, it is often difficult for the security leader to evaluate the potential risks inherent in the acquisition. Due diligence is often limited, and there is a lack of detailed information to really understand cyber risk. Using a risk quantification platform can provide a quick analysis of the potential cyber risk that the organization may assume if the acquisition is completed.
Evaluating the impact of specific threats
Cyber risk quantification analysis allows the security leader to focus on the potential financial impact of specific threats. For example, Boards of Directors are very interested in the company’s exposure to ransomware. Using a tool like X-Analytics allows the security leader to provide a specific financial quantification of that risk profile. Management can then evaluate whether the analyzed risk is acceptable or if not, what mitigations need to be implemented to reduce the risk to an acceptable level.
Communicating cyber security program effectiveness
As the senior management and Board become accomplished in understanding and using a risk quantification model for cyber risk, the security leader can now use it to measure and report on the overall security strategy and program. As changes occur in the threat landscape and business environment, these can be seen in changes in the loss estimates. Similarly, as investments are made in security controls and processes, the payback in terms of reduced risk exposure can be measured and reported in financial terms.
Where to start your cyber risk quantification journey
We have four tips to help security leaders get started on their cyber risk quantification journey:
- Get comfortable with the risk decisioning model.
- Socialize the model with peers.
- Integrate the decisioning model into your overall risk framework.
- Leverage the model to communicate the organization’s overall risk profile.
Get comfortable with the cyber risk decisioning model
First, the security leader needs to be comfortable with the risk decisioning model and the underlying assumptions. They don’t need to be a financial expert but understanding the basic inputs and drivers of any model is important. Experiment with different assumptions and inputs to understand the model sensitivity and drivers. Leverage experienced consultants to help ramp up quickly.
Socialize the cyber risk decisioning model with peers
Second, socialize the risk quantification model and dashboards with peers. Finance, insurance, and other risk professionals in the organization will want to understand the model. Start with one of the use cases described above and build from there. For example, use the model to help with your next cyber insurance review.
Integrate the decisioning model into your overall risk framework
Third, find ways to integrate the risk decisioning model into your overall risk framework. Consider how it can be used to help in managing your risk register, determine risk impacts, and evaluate risk treatments.
Use the “what if” analysis tools to help evaluate the efficacy of risk treatments. Expand the tool to measure risks at a business unit level. Use it to measure and manage supply chain risks.
Leverage risk quantification and decisioning to communicate overall risk profile
Finally, leverage risk quantification and decisioning to communicate the overall risk profile of your organization to your Board and senior management. Use the tools and models to help in your discussions of risk appetite and risk tolerance. Align your security investments and strategic roadmaps with the risk profile to demonstrate how investments in developing and maintaining capabilities are providing a payoff in risk reduction.
Why now is the time for cyber risk quantification and decisioning
In Cyber-Risk Oversight 2020, the National Association of Corporate Directors provides the following guidance:
“To address these increased expectations, companies need to understand the financial impact associated with cyber-event risk. Boards of directors and management are also expected to demonstrate to investors due care in the governance and oversight of cyber risk…. Leveraging these mathematical and scientific methods for improved analyses can allow for more effective decision making compared to qualitative types of risk scoring and heat map risk reporting.“
Regulators such as the Securities and Exchange Commission and investor groups are also calling for increased disclosure of cyber risk, including understanding the financial implication of cyber risk.
Now is a great time for security leaders to step forward and take the lead in cyber risk quantification. I would encourage security leaders to start experimenting and getting comfortable with cyber risk decisioning.
To get started on your cyber risk quantification and decisioning journey, get in touch with our advisory services team here.
The ransomware threat is nothing new. Though it really got going around the mid-2010s, cyberattacks in which malicious actors encrypt files and demand payment to render them accessible again have been launched for over thirty years.
Recently, however, the nature of the battle against ransomware has changed: defenders must contend with greater attack volumes, higher ransom demands, and more sophisticated strategies for disseminating malware across IT environments — as well as more widespread activity. Because ransomware attacks continue to be highly lucrative for criminals, it’s unlikely that this trend will reverse itself anytime soon.
The Evolution of the Current Ransomware Threat
The first known ransomware attack took place in December 1989. Delegates who attended the World Health Organization’s AIDS conference that year were sent floppy disks containing malicious code that installed itself onto MS-DOS systems and eventually encrypted filenames, rendering the affected systems basically unusable. Victims were instructed to mail payment to the “PC Cyborg Corporation” at an address in Panama in order to regain access to their files.
As you might imagine, this early attack wasn’t enormously successful. Not only was postal mail an inefficient means of collecting payment, but the encryption methods used by the trojan were weak, so security researchers were able to develop a decryption tool, which they quickly released to the public.
For all its failures, the AIDS Trojan/PC Cyborg attack did unwittingly provide a blueprint for the next generation of attackers of what to avoid and what to do better, in order to achieve their objectives.
Newer generations of ransomware included public-key cryptography (ensuring that decryption keys didn’t have to be embedded in the malware), effective means of gaining initial access to victim environments, and easily disseminating ransomware across an organization’s I.T systems, and a solid strategy for collecting anonymous cross-border payments.
With the rise of Bitcoin and other cryptocurrencies in the early 2010s, the stage was set for ransomware to become the constant and growing threat that it is today. CryptoLocker, which propagated via spam and phishing attachments, targeted home computer users, used strong public-key cryptography and demanded payments in Bitcoin, began to propagate in 2013. By 2015, the FBI reported that there had been more than 1,000 victims of CyptoLocker, with collective total losses that exceeded $18 million.
The modern ransomware era — in which malware spreads widely, attacks are high-profile, ransoms are often in the millions of dollars, and victims are pressured to pay up right away — arguably began with the WannaCry ransomware attack in 2017. Exploiting a Microsoft Windows vulnerability for which a patch was already available, WannaCry eventually infected more than 230,000 computers in over 150 countries, making Bitcoin payment demands in 20 different languages. WannaCry’s perpetrators demanded only $300 per infected machine. We’ll likely never know if WannaCry was truly intended to collect ransoms from all infected victims, if the malware was released prematurely, or if it was simply intended to cause mass disruption. However, Wannacry was clearly designed by nation-state-level attackers attempting to do damage on a massive scale. Wannacry’s authors incorporate extremely effective and stable remote code execution exploits and wrote the ransomware to spread across networks automatically. Since then, we’ve seen many ransomware actors build these “worm” like functionalities into their malware to effectively infect an entire organization quickly.
Scaling Up: Ransomware-as-a-Service Emerges
Over the last few years, ransomware operators have looked to legitimate software developers for a new business model. As Software-as-a-Service (SaaS) became popular, criminals began supplying access to ransomware toolkits to anyone who wanted to build their own ransomware extortion “business”. These Ransomware-as-a-Service (RaaS) kits made it possible for would-be criminals with little technical skill or expertise to launch ransomware attacks, as long as the RaaS operators get a cut of the ransom. The kits are widely advertised and marketed on the dark web, where everyone from organized cybercriminal groups to individuals can purchase them. Just like regular SaaS, RaaS can include 24×7 user support, additional bundled offers, and access to user reviews and community forums. And the prices for access are relatively low, ranging from $40 to several thousand dollars a month or simply a percentage commission on any ransomware payments received.
With the average ransom demand in late 2020 reaching a new high of $847,344 — and continuing to trend upwards — it’s easy to see how this cost model would be advantageous for criminals. After all, only a small portion of the attacks need to succeed in order for the attacker to generate significant revenue.
The broad global adoption of cryptocurrencies facilitates both the sale of RaaS kits and the collection of payments from victims. Meanwhile, ransomware development is becoming more and more professionalized and is operating on an industrial scale. RaaS operators continue to reinvest their earnings into more reliable exploits, into software developers who are tasked with quickly integrating the latest attack tooling and methods. This enables ransomware cybercriminals to gain initial access to victim environments by leveraging the latest exploits, improved techniques for orchestrating lateral movement, and better ransomware deployment capabilities overall. Criminal groups are also offering pre-established access to a victim’s network in exchange for a percentage of the final ransom payment. This gives less-skilled criminals access to greater numbers of potential victims, and better-resourced groups the advantage of scale.
How to Prevent Ransomware as It Continues to Rise.
Over the coming months and years, it’s all but certain that ransomware attacks will continue to increase in frequency, severity, impact, and economic cost. If the opportunity remains, criminals will take advantage of it. As long as companies continue to pay ransoms rather than face the catastrophic business and operational consequences of extended downtime, there’s no end in sight. Every time that a victim pays up, it feeds the criminals’ incentive to perpetrate further attacks.
Far too many organizations still fail to master the basics of cybersecurity hygiene, including maintaining ongoing visibility into their asset inventory, managing vulnerabilities, and reducing the attack surface. Particularly because RaaS makes it possible for less-sophisticated threat actors to perpetrate large volumes of attacks, it’s very common for attackers to exploit relatively simple mechanisms to gain initial access to the environment where they’ll deploy the ransomware.
What’s more, in today’s world criminal-friendly payment methods are readily available. It’s possible to collect anonymous payments in multi-million-dollar amounts, and cybercriminal groups based in Eastern European countries do so on a regular basis. Though attribution is always a challenge, it appears that some nation-state actors are affiliating themselves with these organized criminal groups as ransomware attacks become part of the global geopolitical cyber battlefront.
Despite the best efforts of law enforcement and government agencies, these criminal groups continue to operate with impunity. Because they’re located in jurisdictions where they have tacit or explicit protection from governments and local authorities, it’s extremely difficult to stop them.
And as growing numbers of high-profile attacks attract media attention, they continue to invite copycats to imitate them. The Colonial Pipeline attack, for instance, drew the entire world’s notice when it successfully brought the fuel supply to the eastern United States to a halt. Soon afterward, the Kaseya supply chain attack demonstrated the enormous scale of the impact that such attacks can have.
In the wake of these events, it’s likely that we’ll see increasing government intervention, including new regulations and disclosure requirements. Meanwhile, insurers are increasingly opting out of covering this risk or demanding high premiums.
It’s incumbent upon all organizations to limit their risk exposure by developing and implementing a cyber risk management program that’s rigorous and quantitative in nature. Without this — and a strong foundation of security hygiene, incident response planning, and putting appropriate controls in place — the financial consequences will eventually become too grave to bear.
Time to update your vendor risk management program? In this article, Graeme Payne, Kudelski Security’s practice leader for strategy, risk, and compliance, covers the four essential areas for consideration in building a robust VRM.
You may have a grasp on your own organization’s security and have good data and threat visibility, but beyond your environment, you are blind. You have limited control over the security measures taken by external service providers, IT vendors, and related third parties. Their vulnerabilities become your vulnerabilities. Any breach they experience becomes a potential breach of your environment, too.
In short, their risk is yours.
You may be able to surface, assess, and mitigate their risks, if it’s just a question of a few vendors, but most businesses have a vendor list that can reach thousands — from parts suppliers, cloud solutions providers, law firms, to call centers, consultants, and human resource benefit providers. The list of data they potentially have access to is equally long — from trade secrets and IP, to personal data and company policies. All this is at risk if your vendors do not have adequate security and privacy protections in place.
So, how, as a security leader, should you design, establish, and maintain a vendor risk management program that will help you sleep better at night? You start with the following objectives:
- Identify the cybersecurity risks within the supply chain and business vendor landscape
- Continuously evaluate and monitor the effectiveness of vendors in managing cybersecurity risk to an acceptable level
- Provide a mechanism to respond to a vendor’s security failures that impact your business
- Provide awareness to senior management and Board regarding vendor risks
As you consider these objectives, build out your vendor risk management program based on industry best practices. The following best practices should be considered as you design your program:
Identifying risks within your supply chain and business vendor landscape starts with building an inventory of vendors and placing them into risk tiers. A good place to start is your vendor master within the organization’s accounts payable system. This will identify all the vendors that you are paying for goods and services. Once you have the inventory, you can place them in risk tiers. Your risk modeling approach should consider the type of data accessed by the vendor, the criticality of the vendor to your business process, the connectivity of the vendor to your data, systems and networks, and any recently observed experiences with the vendor. Creating risk tiers will allow you to build a program that is responsive to the risk in each tier and to focus your limited resources on the areas of greatest risk.
As you build your vendor risk program, you should work closely with procurement, legal, and other functions. Your cybersecurity vendor risk program should integrate with your organization’s vendor life cycle processes. Security requirements should be defined and utilized in new vendor identification. Selection, negotiation and contracting should include security and privacy protections in contracts- Onboarding and implementation should include appropriate security review, and termination processes should ensure destruction or removal of sensitive data. With strong collaboration across functions a more unified vendor risk program can be implemented that addresses all key risk areas including financial viability, safety, and legal compliance.
There are many approaches to evaluating and monitoring vendors. Popular techniques to evaluate how vendors are addressing their cybersecurity risk include: surveys and questionnaires; review of third-party audits and certifications; onsite visits; technical testing; and continuous monitoring. As you design your program include flexibility in your approach to evaluating and monitoring vendors. A risk-based approach should be used to determine the extent and frequency of evaluation. Higher risk vendors will need higher levels of assurance such as completion of security questionnaires, onsite visits or audits, security certification, or ongoing intelligence monitoring. Lower risk vendors might need to complete a simplified questionnaire or be subject to less frequent review. Also be reasonable in what you expect from vendors; don’t ask for information that you are not using to evaluate risk. Far too many vendor questionnaires request data that is never used in the risk management process.
Your vendor risk program should use automation to help efficiently manage many of the vendor risk processes. Over the last several years there has been a significant growth in the number of tools that can help automate aspects of your vendor risk management program. Gartner now tracks this as a separate category of software. Many of the integrated risk management or governance risk and compliance tools provide third party risk management modules. There are also many solutions that just focus on vendor risk. Most of these solutions now run in a software-as-a-service mode. Many include the ingestion of intelligence about a vendor’s cybersecurity profiles, financial condition, and business conduct to complement other frequently used evaluation methods (such as security questionnaires and onsite visits). Integration with procurement, ERP and service management tools is also becoming common place.
Vendor risk management is still a relatively new field and continues to evolve. VRM-as-a-service offerings are emerging to help offload some of the “heavy lifting” in managing a vendor risk program. Several exchanges and shared assessment programs are now in place to reduce the burden on vendors completing literally hundreds of questionnaires. Security certification programs are gaining more prominence as vendors seeks to provide assurance that their security programs meet acceptable industry standards.
When a vendor suffers a data breach or significant security incident, your business may also be impacted. Your program design should integrate vendor risk management into your incident response process. Studies indicate that 60% of data breaches involve a third party. Your vendor cybersecurity requirements should stipulate how soon you should be notified of a potential security breach or incident. Your incident response playbooks should address the actions your incident response team should take when a vendor incident occurs. Critical vendors should be included in your incident response tabletops and simulations.
Boards of Directors are increasingly asking security leaders about third party risks. Your program should include dashboards and metrics that measure and report on third party risk. Senior leaders and governance boards want to know how third-party risk is being addressed. Your program should capture and report on key metrics such as the percentage of vendors included in the program, the percentage of higher risk vendors evaluated or under continuous monitoring, exception rates, and the reduction of risk achieved.
As a security leader you need to develop and continuously evolve your vendor risk management program. Just like most things on cybersecurity this is not a “one and done effort”. Continue to find ways to build in more continuous monitoring and alerting to augment your periodic reviews. Monitor your coverage and risk profile over time and periodically refer to your objectives and validate your program is appropriately focused and resourced. Keep senior management and the Board updated on vendor risk. Ask yourself: “Do I know who my high-risk vendors are and am I comfortable about the cyber risk we are accepting”? If the answer is “no”, it is time to update your vendor risk program.
Join our webinar on the 21st to hear Graeme discuss your vendor risk management questions. Click here to register.