Cybersecurity threats have become a cause of concern for many organizations especially with the daily reports of cyber intrusions where large volumes of data theft and intellectual property are involved. With the rise of new exploitation techniques and methods such as insider threats ransomwares, and advanced persistent threats the need for investing in cybersecurity cannot be over emphasized.

 

It has also be proven to be difficult to find rapt solutions to cyberattacks because of the dynamism in cloud computing, operating environment, supporting mobile, the iOt (internet of things), remote users, the quest for support the network devices that users bring to their offices and of course the question of how, where and what strategies to deploy in terms of specific security.

James Comey, a former director in the FBI described two kinds of big companies in the United States. He categorized them into “into those who have been hacked by the Chinese and those who have not been hacked by the Chinese.” Also in January 2015 at the world Economic Forum which was about a year later, John Chambers a former CEO Cisco confirmed that the people that have been hacked, do not even know they have been hacked.”

From all of this information, does it mean that cybersecurity breaches are inevitable? If a cybersecurity breach is inevitable then is prevention really possible and is trying to secure data and data systems worth the money?

Despite the fact that these remarks are quite discouraging, organizations still go ahead with storing data, financial data, intellectual property and their personal data on networked systems. In the midst of all these risks, there are the good sides to data storage and security which outweigh the bad sides.

Cybersecurity involves managing risks

There are things that should be put in place to secure information even with the fact that cybersecurity breaches cannot be avoided. In environments where risk is managed, there are ways and processes that can be put in place to ensure that data breaches are avoided which I have described in my previous article as penetration testing, vulnerability assessments, and IT audits. The premise surrounding the management of risk, is that the risk scenario cannot be completely eliminated.

 

 

If these uncertainties can be erased, then the risk can totally be erased as well. There are two basic security measures that can be put in place if the risk of a cybersecurity breach does not amount zero. Now the first strategy is to cut down the probability of the occurrence of a cybersecurity breach and the second involves cutting down on the impact which the damage that occurs when a cybersecurity risk is discovered. In order to manage any type of cybersecurity risks, these two strategies and measures are very appropriate in managing them. Do not forget that the general way to approach cybersecurity is very transparent and easy to understand.

The first things to identify in the operation of business is the assets which means that information assets which include raw data, people, processes and technology have to be protected.

The second thing you must note is that the purpose of a risk assessment is to reveal risks scenarios which could lead to damage or loss of data through unauthorized and unexpected disclosures, modifications and loss of confidentiality of data assets. Risks components are very few. The typical scenario of a cybersecurity intrusion is when a threat leverages on a vulnerability to damage information asset security. In this example, the components of risk exist when there is vulnerability and an exploit takes advantage of that vulnerability, and also a threat actor uses that exploit to damage the information assets’ security. Therefore, the only things that can be controlled by the network security manager are the presence of vulnerabilities on the network. The next step that follows is making an attempt to identify the risk and eliminating it.

Typically, once a risk has been identified, it is known to be eliminated and when a vulnerability is eliminated, all the threat scenarios where the vulnerability is exploited is reduced to zero.

Cybersecurity Risk Prioritization

Risk management at its core is a decision-support tool and once all the necessary cybersecurity scenarios have been unraveled, the job of the decision-support tool is to prioritize the order and manner in which the identified risks can be mitigated or controlled.

If there are insufficient resources that are capable of handling all the identified vulnerabilities, then the activity of risk prioritization with an aim to remediate and mitigate it can be seen to be important. Prioritization is also very valuable even in the midst of sufficient resources in order to remediate the existing vulnerabilities.

Outcome vs Impact

The prioritization of vulnerabilities is based on its potential impact on the organization if the risk scenarios exploiting that vulnerability are all realized. It is important to try to understand what the impact is if the potential impact is the prioritization factor. Whenever a vulnerability is being exploited, there is an unwanted outcome which involves an unwanted disclosure of data, unauthorized modification or the loss of access to the information asset that is being affected by the vulnerability is being exploitation. The result if an unwanted outcome is referred to as impact.

In the HIPAA privacy or security rules, if the health records are stolen, the outcome is that information will be disclosed, but the impact to the organizations is that there could be there will be a mandatory breach in the costs of notification and the potential for fines and civil penalties could run into millions of naira and dollars.

The prioritization of vulnerability mitigation by its potential impact can be done in different ways and one of them is in the use of a prioritization tool called Common vulnerability scoring System (CVSS), which will provide a framework for which one can understand the characteristics and impacts of vulnerabilities in information technology.

When CVSS is used, there is a likelihood that when an organization discovers that its risk has been prioritized to low severity or medium severity, they will choose not to remediate it. But in the case of organizations with many systems including mission-critical systems, such organizations need to come to an understanding that the potential impact to that asset and organizations is not totally and solely dependent on the ratings of the CVSS, but it could be higher and the organization needs to remediate the vulnerability.

 

In conclusion, if it is true that cybersecurity breaches cannot be avoided then all is not lost. The only sad thing is it will not be possible to completely eliminate the uncertainty that there will be data breaches.

To learn more about vulnerability assessments, risk assessments and penetration testing, subscribe to our services at soutech ventures to learn CEH course in details.