One of the cornerstones of a security leader’s job is to successfully evaluate risk. A risk assessment is a thorough look at everything that can impact the security of an organization. When a CISO determines the potential issues and their severity, measures can be put in place to prevent harm from happening.
To select a suitable risk assessment solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Jaymin Desai, Offering Manager, OneTrust
First, consider what type of assessments or control content as frameworks, laws, and standards are readily available for your business (e.g., NIST, ISO, CSA CAIQ, SIG, HIPAA, PCI DSS, NYDFS, GDPR, EBA, CCPA). This is an area where you can leverage templates to bypass building and updating your own custom records.
Second, consider the assessment formats. Look for a technology that can automate workflows to support consistency and streamline completion. This level of standardization helps businesses scale risk assessments to the line of business users. A by-product of workflow-based structured evaluations is the ability to improve your reporting with reliable and timely insights.
One other key consideration is how the risk assessment solution can scale with your business? This is important in evaluating your efficiencies overtime. Are the assessments static exports to excel, or can they be integrated into a live risk register? Can you map insights gathered from responses to adjust risk across your assets, processes, vendors, and more? Consider the core data structure and how you can model and adjust it as your business changes and your risk management program matures.
The solution should enable you to discover, remediate, and monitor granular risks in a single, easy-to-use dashboard while engaging with the first line of your business to keep risk data current and context-rich with today’s information.
Brenda Ferraro, VP of Third Party Risk, Prevalent
The right risk assessment solution will drive program maturity from compliance, to data breach avoidance, to third-party risk management.
There are seven key fundamentals that must be considered:
- Network repository: Uses the ‘fill out once, use with many approach’ to rapidly obtain risk information awareness.
- Vendor risk visibility: Harmonizes inside-out and outside-in vendor risk and proactively shares actionable insights to enhanced decision-making on prioritization, remediation, and compliance.
- Flexible automation: Helps the enterprise to place focus quickly and accurately on risk management, not administrative tasks, to reduce third-party risk management process costs.
- Enables scalability: Adapts to changing processes, risks, and business needs.
- Tangible ROI: Reduces time and costs associated with the vendor management lifecycle to justify cost.
- Advisory and managed services: Has subject matter experts to assist with improving your program by leveraging the solution.
- Reporting and dashboards: Provides real-time intelligence to drive more informed, risk-based decisions internally and externally at every business level.
The right risk assessment solution selection will enable dynamic evolution for you and your vendors by using real-time visibility into vendor risks, more automation and integration to speed your vendor assessments, and by applying an agile, process-driven approach to successfully adapt and scale your program to meet future demands.
Fred Kneip, CEO, CyberGRX
Organizations should look for a scalable risk assessment solution that has the ability to deliver informed risk-reducing decision making. To be truly valuable, risk assessments need to go beyond lengthy questionnaires that serve as a check the box exercises that don’t provide insight and they need to go beyond a simple outside in rating that, alone, can be misleading.
Rather, risk assessments should help you to collect accurate and validated risk data that enables decision making, and ultimately, allow you to identify and reduce risk ecosystem at the individual level as well as the portfolio level.
Optimal solutions will help you identify which vendors pose the greatest risk and require immediate attention as well as the tools and data that you need to tell a complete story about an organization’s third-party cyber risk efforts. They should also help leadership understand whether risk management efforts are improving the organization’s risk posture and if the organization is more or less vulnerable to an adverse cyber incident than it was last month.
Jake Olcott, VP of Government Affairs, BitSight
Organizations are now being held accountable for the performance of their cybersecurity programs, and ensuring businesses have a strong risk assessment strategy in place can have a major impact. The best risk assessment solutions meet four specific criteria— they are automated, continuous, comprehensive and cost-effective.
Leveraging automation for risk assessments means that the technology is taking the brunt of the workload, giving security teams more time back to focus on other important tasks to the business. Risk assessments should be continuous as well. Taking a point-in-time approach is inadequate, and does not provide the full picture, so it’s important that assessments are delivered on an ongoing basis.
Risk assessments also need to be comprehensive and cover the full breadth of the business including third and fourth party risks, and address the expanding attack surface that comes with working from home.
Lastly, risk assessments need to be cost-effective. As budgets are being heavily scrutinized across the board, ensuring that a risk assessment solution does not require significant resources can make a major impact for the business and allow organizations to maximize their budgets to address other areas of security.
Mads Pærregaard, CEO, Human Risks
When you pick a risk assessment tool, you should look for three key elements to ensure a value-adding and effective risk management program:
1. Reduce reliance on manual processes
2. Reduce complexity for stakeholders
3. Improve communication
Tools that rely on constant manual data entry, remembering to make updates and a complicated risk methodology will likely lead to outdated information and errors, meaning valuable time is lost and decisions are made too late or on the wrong basis.
Tools that automate processes and data gathering give you awareness of critical incidents faster, reducing response times. They also reduce dependency on a few key individuals that might otherwise have responsibility for updating information, which can be a major point of vulnerability.
Often, non-risk management professionals are involved with or responsible for implementation of mitigating measures. Look for tools that are user-friendly and intuitive, so it takes little training time and teams can hit the ground running.
Critically, you must be able to communicate the value that risk management provides to the organization. The right tool will help you keep it simple, and communicate key information using up-to-date data.
Steve Schlarman, Portfolio Strategist, RSA Security
Given the complexity of risk, risk management programs must rely on a solid technology infrastructure and a centralized platform is a key ingredient to success. Risk assessment processes need to share data and establish processes that promote a strong governance culture.
Choosing a risk management platform that can not only solve today’s tactical issues but also lay a foundation for long-term success is critical.
Business growth is interwoven with technology strategies and therefore risk assessments should connect both business and IT risk management processes. The technology solution should accelerate your strategy by providing elements such as data taxonomies, workflows and reports. Even with best practices within the technology, you will find areas where you need to modify the platform based on your unique needs.
The technology should make that easy. As you engage more front-line employees and cross-functional groups, you will need the flexibility to make adjustments. There are some common entry points to implement risk assessment strategies but you need the ability to pivot the technical infrastructure towards the direction your business needs.
You need a flexible platform to manage multiple dimensions of risk and choosing a solution provider with the right pedigree is a significant consideration. Today’s risks are too complex to be managed with a solution that’s just “good enough.”
Yair Solow, CEO, CyGov
The starting point for any business should be clarity on the frameworks they are looking to cover both from a risk and compliance perspective. You will want to be clear on what relevant use cases the platform can effectively address (internal risk, vendor risk, executive reporting and others).
Once this has been clarified, it is a question of weighing up a number of parameters. For a start, how quickly can you expect to see results? Will it take days, weeks, months or perhaps more? Businesses should also weigh up the quality of user experience, including how difficult the solution is to customize and deploy. In addition, it is worth considering the platform’s project management capabilities, such as efficient ticketing and workflow assignments.
Usability aside, there are of course several important factors when it comes to the output itself. Is the data produced by the solution in question automatically analyzed and visualized? Are the automatic workflows replacing manual processes? Ultimately, in order to assess the platform’s usefulness, businesses should also be asking to what extent the data is actionable, as that is the most important output.
This is not an exhaustive list, but these are certainly some of the fundamental questions any business should be asking when selecting a risk assessment solution.
It’s no secret that the current pandemic is causing a major strain on consumers and businesses alike. As the U.S. teeters on the verge of a recession, companies are cutting their spending wherever they can — including in cybersecurity. Gartner estimates that security faces cuts as high as $6.7 billion — an unfortunate outcome, particularly since most organizations are also experiencing an expansion of their attack surface as a result of more people working from home.
In some ways, cuts in security budget aren’t surprising. Security has experienced growing budgets for years, but many security professionals have a hard time explaining to executives and board members what, exactly, they’re getting for the spend. Executives have struggled to understand cyber risk for some time, and in a tough economic environment, security is easier to put on the chopping block if it is perceived as a “tax” on the business.
But while some security programs have become bloated, many don’t necessarily deserve to be cut. Given the gravity of today’s situation, it’s time for security leaders to step in and do what they can to justify spending that bolsters their company’s overall security posture. With the right strategy in place, these leaders can be properly equipped to save their organizations from major monetary losses and damage to their brand reputation.
Speaking the “board member” language
Executives and board members have been known to have their doubts about the ROI of their security investments. Their days are driven by facts and figures — and security performance is too often discussed and evaluated in vague terms (ranging on a scale from low to high) that don’t resonate with leaders.
For senior management to really understand the effectiveness of good security measures, security leaders need to leverage quantitative metrics and share something more concrete to demonstrate the high value a strong security strategy brings. There are many strategic and tactical measurements that security leaders can share with executives and the board that demonstrate the effectiveness of programs and technology deployment. Some common metrics used to demonstrate program effectiveness include tracking number of malware incidents blocked or percentage of phishing emails filtered.
But it’s important to balance your own view with that of an independent third party perspective too. Objective, quantitative metrics like security ratings, for example, can be useful in providing comparative analysis and meaningful correlation to security outcomes. The lower the security rating given to the company, the more likely they are to experience a breach — and the more urgent and important it is to deploy the necessary services to avoid a potential disaster. Furthermore, some security ratings are used frequently in insurance underwriting and customer decision making, affirming the importance of understanding that metric at the senior-most level of the organization.
Using a specific kind of metric, security leaders have a better chance of grabbing the C-suite’s attention. The right data has the ability to prove to decision makers just how important security is.
Enabling the remote workforce
Everyone’s business faces challenges from COVID-19, and companies need to focus on enabling their workforce to succeed. Security must recognize that they play a critical role in helping the business during these challenging times, but they can’t just say “no” to everything.
One challenge that many are dealing with right now is enabling the remote workforce. Companies don’t have many options at this point, so workers must be allowed to access the corporate network in their home offices. But we also know that residential IPs account for more than 90% of all observed malware infections, making it much more risky.
Security professionals can help their businesses by developing capabilities that allow for continuous identification of vulnerabilities and infections on IP addresses associated with remote and home offices. Doing so will allow security teams to discover issues quickly, and more effectively manage higher risk remote operating environments. In other words, they’ll be able to ensure no harm comes to their organization while its employees work remotely.
Enabling business partnerships
Another example of how security can enable the business during these challenging times is through more efficient and effective onboarding of new vendors.
When the shift to work from home began months ago, organizations everywhere sought to onboard new vendors like Zoom. But how were they going to effectively perform risk assessments on organizations in hours or days, rather than the 8-12 week time frame that it typically takes to do a third party cyber risk assessment?
By leveraging data and automation, security leaders can transform their third party risk management programs, rapidly assessing and onboarding vendors to ensure that the business can start working with vendors to help achieve their goals. These efforts can actually be better in identifying risk than the typical qualitative, on-site assessment process, which is usually thought of as a snapshot in time. Security professionals shifting their programs can be more responsive to the business and establish a stronger working relationship during challenging times.
The power of benchmarking
Another way to get the C-suite’s attention? Competitive analysis. By benchmarking a company’s security program against competitors, security teams can highlight areas where their programs are performing in line — or out of line — with peers and competitors. In this day and age, no executive or board member wants to be underperforming their industry; but when it comes to cybersecurity, measuring and benchmarking have always been challenging.
Data and analytics now provide security professionals with the ability to quantitatively and objectively measure their programs across a variety of categories — and many security pros effectively use these benchmarks to highlight areas of investment or justify new spend.
The way forward
Right now, security teams are facing an uphill battle as they work to keep their organizations safe and secure. They’re also facing significant budget challenges. It’s up to security leaders to step in and prove that they can combat the current threats their companies face, but with an eye toward cost-optimization and cost-savings.
Using a combination of the above strategies, security leaders have a better shot at justifying security spending during a time when budgets are being slashed. By focusing on measurement, business enablement (including work from home and vendor onboarding), and competitive benchmarking, security leaders can establish greater credibility across the business, in the C-suite, and in the boardroom.
In a recently released report by the UK National Cyber Security Centre (NCSC), whose findings have been backed by Canada’s Communications Security Establishment (CSE) and the US NSA and CISA (Cybersecurity and Infrastructure Security Agency), the agency has warned about active cyber attacks targeting biomedical organizations that are involved in the development of a COVID-19 vaccine.
On Friday, BitSight researchers shared the results of a study that looked for detectable security issues at a number of companies who play a big role in the global search for a vaccine, and found compromised systems, open ports, vulnerabilities and web application security issues.
Biomedical orgs under attack
The report details recent tactics, techniques and procedures (TTPs) used by APT29 (aka “Cozy Bear”), which the NCSC and the CSE believe to be “almost certainly part of the Russian intelligence services.”
The agencies believe that the group is after information and intellectual property relating to the development and testing of COVID-19 vaccines.
“In recent attacks (…), the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified,” the report states.
Among the flaws exploited by the group are CVE-2019-19781 (affecting Citrix’s Application Delivery Controller (ADC) and Gateway), CVE-2019-11510 and CVE-2018-13379 (affecting Pulse Secure VPN endpoints and Fortigate SSL VPN installations, respectively) and CVE-2019-9670 (affecting the Synacor Zimbra Collaboration Suite).
The group also uses spear-phishing to obtain authentication credentials to internet-accessible login pages for target organizations.
After achieving persistence through additional tooling or legitimate credentials, APT 29 uses custom malware (WellMess and WellMail) to execute arbitrary shell commands, upload and download files, and run commands or scripts with the results being sent to a hardcoded Command and Control server. They also use some malware (SoreFang) that has been previously used by other hacking groups.
The report did not identify the targeted organizations nor did it say whether the attacks were successful and whether any information and IP has been stolen.
Biomedical orgs open to cyber attacks
As many security researchers pointed out, Russian cyber espionage groups aren’t the only ones probing these targets, so these organizations should ramp up their security efforts.
BitSight researchers have recently searched for security issues that attackers might exploit. They’ve looked at 17 companies of varying size that are involved in the search for a COVID-19 vaccine, and found:
- 25 compromised or potentially compromised machines (systems running malware/bots, potentially unwanted applications, spam-sending machines and computers behaving in abnormal ways) in the past year
- A variety of open ports (i.e., exposed insecure services that should be never exposed outside of a company’s firewall): Telnet, Microsoft RDP, printers, SMB, exposed databases, VNC, etc., which can become access points into a company’s network
- Vulnerabilities. “14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.”
- 30 web application security issues (e.g., insecure authentication via HTTP, insecure redirects from HTTPS to HTTP, etc.) that could be exploited by attackers to eavesdrop on and capture sensitive data, such as credentials, corporate email, and customer data.
“These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern,” the researchers pointed out.
“It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.”
Checkmarx SCA: New SaaS-based software composition analysis solution
CxSCA leverages Checkmarx’s source code analysis and automation capabilities, empowering security and development teams to identify vulnerabilities within open source software that present the greatest risk and enable developers to focus and prioritize remediation efforts accordingly.
Zyxel launches USG FLEX series of mid-range firewalls for SMBs
Zyxel’s new USG FLEX 100, USG FLEX 200 and USG FLEX 500 firewalls feature upgraded hardware and software power that level up SMB security with up to 125 percent of firewall performance and up to an additional 500 percent Unified Threat Management performance.
New BitSight capabilities enable more effective third-party cyber risk management
BitSight announced several new, innovative capabilities within its BitSight for Third-Party Risk Management solution that provide intelligent recommendations, operational guidance, and risk prioritization to enable more effective third-party cyber risk management.
Nyxeia helps you manage assets and data privacy protection requirements
Nyxeia announced new releases of its Information Governance Suite products. These releases include major updates to the .discover and .policy products used for information search, enhancement, and full lifecycle governance. Also included is a new product called .preserve for digital asset preservation, legal hold, and defensible disposition.
Lumu helps security teams minimize alert fatigue, prioritize response, and accelerate remediation
Lumu announced a new Compromise Context capability that offers robust contextual intelligence around confirmed compromise instances, enabling security teams to deploy accelerated incident response efforts with precision. This new contextual functionality is included as part of the Lumu Insights platform, a cloud-based solution.
BitSight, the Standard in Security Ratings, announced several new, innovative capabilities within its BitSight for Third-Party Risk Management solution that provide intelligent recommendations, operational guidance, and risk prioritization to enable more effective third-party cyber risk management.
The enhanced platform helps organizations achieve greater operational efficiency and measurably reduce risk across their extended business ecosystem.
“Third-party ecosystems are expanding rapidly and organizations of all shapes and sizes struggle to create effective risk management programs,” said Dave Fachetti, executive vice president of Strategy.
“These enhancements will help our customers clearly understand and prioritize their portfolio of third-party risk and seamlessly integrate BitSight into their programs, resulting in reduced risk and improved operational efficiency.”
BitSight surfaces actionable insights from the industry’s broadest and deepest collection of security performance data and provides intelligent recommendations and guidance based on the largest customer base and most engaged network of users.
Surfaces the most important information from across the BitSight platform onto a dynamic, customizable dashboard, enabling users to quickly visualize, identify, and prioritize urgent third-party risk issues from non-urgent ones.
Life cycle stages
Provides customers specific engagement guidance during various stages of the vendor lifecycle — from onboarding to ongoing monitoring to reassessment — based on the nature of a third-party vendor’s relationship with the customer, the stage of the relationship, and measured security performance.
Gives business context to technical findings, enabling customers to quickly identify and understand the most critical areas of concern related to third-party cyber risks, and accept or reject risk.
Aids with setting the significance of a vendor relationship by leveraging tiering best practices observed across BitSight’s customer base and providing intelligent recommendations.
Maps BitSight data to cybersecurity questions in a vendor assessment questionnaire, validating qualitative data collection, producing consumable reports, and reducing the number of questions needed in a vendor assessment.
Makes it easy for customers to apply the proper level of due diligence based on the relationship they have with that company (e.g., vendor, competitor, fourth-party).
Portfolio risk matrix
Gives an organization a clearer picture of the state of its third-party portfolio’s risk aligned to its organizational policy, with the ability to adjust vendor tiering and risk thresholds.
It’s almost 2020, which means teams are finalizing cyber budgets, strategies and goals. However, as you’re preparing for the new year, it’s important to keep an eye out for how the cybersecurity landscape might shift in 2020.
From the rise in investor focus on cybersecurity issues to diversifying of cyber insurance, there are three critical security trends cyber professionals should be prepared to address if they want a successful — and secure — 2020.
Investors will add cyber risk into their analyses
In 2020, cybersecurity is going to play a larger role in financial investments than ever before. Equifax was the first company that ever received a credit downgrade because of a data breach, and it made investors hesitate to invest in companies without understanding their cyber risk.
It’s an understandable fear: Our research shows a majority of Fortune 1000 companies have at least one remote administration service running on an open port. With current security like this, breaches are inevitable.
Savvy investors are holding off on investing in companies without good security. They’re beginning to uncover a link between companies with strong cybersecurity posture and strong stock performance. Though the research is still in its infancy, I suspect that many investors will soon incorporate cyber into their ESG analysis.
For the security professional, this is an opportunity to showcase your worth to the C-suite. Having strong security will no longer be just about protecting against breaches, it also means a better draw for investors, whether they’re looking to purchase stocks or invest in your business.
Attackers will focus less on zero-day vulnerabilities and more on blunt-force attacks
Zero-day vulnerabilities receive the most attention from the media, but in 2020, hackers probably won’t bother with these highly publicized attacks. Instead, they’ll hone in on simple strategies, like gaining access to a network through a third-party or unpatched system.
In fact, this trend is already starting to emerge. For example, APT33 uses almost exclusively brute-force password spraying when attacking critical infrastructure. These methods have seen success with breached companies facing Shamoon and Shapeshifter, two of APT33’s go-to deployments. And the number of business email compromise (BEC) attacks has soared immensely in the past year; financial media conglomerate Nikkei lost $29 million to this ploy. On top of these recent examples, the NSA reports that it very rarely responds to intrusions from zero-day vulnerabilities — instead it focuses primarily on incidents involving exploited unpatched hardware and software.
To counteract these trends, cyber plans will need to return to the basics and focus on building a strong security foundation. This includes continuously monitoring for new threats and vulnerabilities, consistently evaluating the security posture of your third-party partners, and more. The importance of employee cyber education also can’t be understated. Oftentimes, the weakest link in security postures is still the human element.
Cyber insurance will play a larger role in cyber plans
From ransomware to BEC, the costs of responding to cyberattacks are relentlessly increasing, and 2020 will be the tipping point for cyber insurance. Many companies, especially smaller ones, are learning the hard way they don’t have the resources to mitigate cyberattacks alone, especially ones that arrive from third-, fourth-, or even fifth-party partners.
Though most cyber insurance won’t directly pay for any money lost in a BEC or phishing attack, they will help finance legal investigations and fees. As more companies adopt cyber insurance policies, the insurance industry will educate themselves on the nuances in cyber attacks and begin offering additional cyber coverage plans, including ones that cover consequences and losses outside of the cyber realm.
Whether it’s through an extended power outage that leads to looting or a crash from faulty transportation communications, companies need to go into 2020 ready for how cyber attacks could impact the physical world. One way to do that is for companies to reevaluate their current cyber insurance policy or start shopping for their first.
Planning for 2020 cybersecurity trends
The new year will bring a range of challenges for cyber professionals, but trying to anticipate and plan for them now will mitigate their ramifications.
To start, companies need to ensure their CFOs and other stakeholders understand the growing financial impact of cybersecurity. As security tools become more efficient, executives might be tempted to lower budget without understanding how badly a cyber attack would affect not only their day-of operations, but the business’s long term financial stability.
Additionally, the importance of a strong cyber foundation needs to be a focus in the new year. We’re seeing hackers rely on tried-and-true methods rather than chasing down the latest zero-day vulnerability, meaning routine patching and third-party partners with continuously monitored, strong security hygiene are key to protecting businesses.
Finally, the role cyber insurance will play in businesses can’t be ignored any longer. Cyber insurance is expanding to mitigate losses that come from anywhere in the supply chain, including outside of it; it doesn’t matter if you’ve been breached or if your next-door neighbor has been.