Identifying Hazards to Better Prepare for Cyberattacks

Identifying Hazards To Better Prepare For Cyberattacks

By Bob Violino

Chief information officers should explore, if not embrace, a broad-spectrum defense strategy, a more effective way of approaching security that focuses on the internal hazards that could lead to costly breaches.

How costly? A distributed denial-of-service (DDoS) incident can cost a financial institution $1.2 million to recover on average, compared with $952,000 for businesses in other sectors, according to a 2017 report by Kaspersky Lab.

Identifying Hazards to Better
A broad-spectrum approach defends against surprising threats by forcing organizations to consider and analyze existing hazards.

Some companies, such as global cloud delivery platform provider Akamai Technologies, have made broad-spectrum defense a key component of their cybersecurity programs.

Traditionally, cyberdefense has been based on requirements dictated by regulatory compliance or industry standards. Consequently, defenses might not have had much to do with a company’s actual security threats and vulnerabilities.

“With that approach, you don’t look forward and anticipate changes in the security landscape,” explained Andy Ellis, chief security officer at Akamai.

Importantly, a traditional strategy may not account for the latest ransomware or DDoS threats. Either can cripple a business if it isn’t prepared to defend against it.

Broadening The Defenses

A broad-spectrum approach defends against surprising threats by forcing organizations to consider and analyze existing hazards. Often these hazards are based on variables that include the type of business, how it operates online, where it’s located, and the access it provides employees, business partners and customers.

Under a broad-spectrum defense, before launching a new application on the web, a company would first inventory the possible hazards of moving ahead.

“An example of a hazard would be an application database that’s online,” Ellis said. “You have to take a step back and ask, ‘What are the unacceptable losses we face by doing this?’”

If the application risks exposing a database that houses customers’ personal information, for instance, that would be considered an unacceptable loss, and the project would not move forward unless the risk is first mitigated.

Handling security this way could also make it easier for security executives to sell business leaders on why security is important. Instead of telling business line executives that a new set of defenses is available, for instance, a chief information security officer would detail the consequences of a breach.

“It might be hard to sell the business on a web application firewall, but it’s easy to sell them on the fact that it’s critical to protect the data we don’t want to expose,” Ellis said. “This approach lets you tie back the tools you want to acquire to the hazards you’re trying to mitigate. The key is to focus on the hazard.”

The job for security executives and CIOs is to make sure all of the main hazards have been covered.

By taking a complete inventory, “you are more likely to defend against unknown adversaries,” Ellis said.

The nature of the resource and where it’s located make the organization susceptible regardless of the threat — whether it’s an SQL injection or another attack type not yet imagined.

Building Relationships

A broad-spectrum defense strategy can help get funding for security initiatives. But funding may not be the challenge.

“Getting the mindshare of the business partners — that’s the hard part,” Ellis said.

Business line partners need to be educated about the risks to the business. “This requires you to build a relationship with business partners, which can be hard to do,” he said.

It’s up to the CIO and the security executive to lead the way in moving to a broad-spectrum defense by educating others about what the unacceptable losses are.

The idea of creating a broad-spectrum defense is still unfamiliar to many companies, although some in the financial services sector have used it for some time, Ellis said.

The concept can work for any type and size of business, although smaller companies that lack internal resources might need help getting started. This help might come from a managed security services provider.

By taking this approach, Ellis said, an organization can build a security program that’s based on the actual risks and more closely aligned with what needs protection.

Bob Violino is a business and technology freelance writer whose areas of expertise include cloud computing, cybersecurity and big data.

Related CIO Content