Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Four Steps to Begin Better Managing Your Digital Risk

Four Steps Organizations Can Take to Begin Managing Their Digital Risk

Four Steps Organizations Can Take to Begin Managing Their Digital Risk

The emergence of Cyber Threat Intelligence (CTI) has given organizations valuable intelligence into a myriad of attacker behaviors. Armed with CTI, companies can focus on their adversaries’ tactics and techniques, and use this information to inform their defense strategy to reduce digital risk. But for these strategies to be truly effective they must include an approach to both estimating and effectively managing organizational risk; assets that need to be protected, weaknesses present in internet-facing systems, and opportunities threat actors may exploit. 

By monitoring for exposure and assessing the threat, organizations can develop a better idea of what to protect. Here’s four steps organizations can take to begin managing their digital risk. 

Step 1: Identify Key Assets to Protect 

This first step is taking stock of the critical assets you wish to protect and how this data could appeal to adversaries. Start with people (e.g. customers, employees, partners, service providers); organizations (e.g. service departments, common infrastructure), and the systems and critical applications that support them (e.g. websites, portals, databases, payment processing systems, Enterprise Resource Planning (ERP) applications).

Consider how these assets relate to the organization’s vital business and economic functions, those that may generate profit, provide competitive advantage, or on which intangible properties such as trust, reputation and goodwill rely. The exposure of intellectual property – product designs, proprietary code, and patent information – often impacts competitive advantage. Exposed customer data may result in violations of compliance and privacy regulations. Employee credentials, private RSA keys, or exposed security assessments could fall into threat actors’ hands, enabling reconnaissance efforts.

Once these most important pieces are identified, organizations can begin to understand which actors are most likely to target this data. 

Step 2: Understand the Threat

Advertisement. Scroll to continue reading.

Understanding threat is a key part of calculating risk. CTI, when accomplished effectively, can provide practical insight into these threats. A recent shift towards a strategic focus on attacker behavior provides a common language into how defenses can be aligned to real-world vulnerabilities. However, behaviors are just one part of understanding threats. Organizations must also understand the circumstances threat actors most often exploit and reduce their opportunities.  

Frameworks such as MITRE ATT&CK provide a way to describe attacker behavior through observed tactics, techniques, and procedures (TTPs). By combining this behavioral information with threat modeling, organizations can then consider why a particular type of threat actor would target the organization, what they would hope to gain, and what their goals would be. By understanding the range of threat actor TTPs, and protecting against the exposure of data that could enable them, organizations can decisively reduce their risk profile.

Step 3: Monitor for Exposure

Detecting exposed assets across the open, deep, and dark web can be a daunting task. The typical exposure of a mid-sized organization served by Digital Shadows includes 290 spoofed domains or social media accounts, 180 certificate issues, 84 exploitable vulnerabilities, 360 open ports and 100 exposed business documents. There are plenty of tools to help. DNS Twist gives organizations a view into phishing sites using permutations of a company’s domain; Have I Been Pwned provides insight into exposed credentials; and the Google hacking database provides ways to detect exposed sensitive documents. Consider also making use of services used by marketing and brand management teams to monitor social media can provide a useful insight into what is being discussed about an organization online. 

Step 4: Mitigation Strategies

Detecting exposure and understanding threats is important, but taking action to resolve and mitigate risks is critical. Mitigation strategies include immediate, tactical responses; operational responses that can be done on an ongoing basis; and strategic responses that may involve investment or directional influence.  For example, an organization that has identified large numbers of exposed credentials may look at implementing Multi Factor Authentication (MFA). Similarly, providing more effective storage solutions may be advised if employees are backing up work on home computers. 

While no single solution or approach can reduce digital risk, by understanding where assets are exposed, their value to attackers, and how attackers target this data, organizations can make better decisions about their defenses and improve them over time.

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...