Article by Tenable A/NZ country manager Bede Hackney.
2018 was a milestone year for data security and privacy. The rollout of legislative frameworks, such as the Notifiable Data Breach Scheme and the General Data Protection Regulation, brought to light the endless wave of cyber attacks confronting businesses every day.
A recent report by the Ponemon Institute on behalf of Tenable found that 60% of organisations represented in the study say they have suffered two or more business-disrupting cyber events in the last 24 months alone. More than 2,400 IT and IT security practitioners in the US, UK, Germany, Australia, Mexico and Japan were surveyed. In tandem with this, the Office of the Australian Information Commissioner revealed over 245 breaches were reported from July to September, signaling current security approaches are failing to keep pace with the surge of attacks.
The unfortunate reality is that the majority of Australian businesses aren’t able to quantify the business cost of this cyber risk, relying on outdated metrics which leave them exposed.
It’s high time to shore up measurement
With cyber security increasingly being elevated to the C-level, it is imperative that your plan is presented and endorsed by the C-suite and the board. However, less than half of Australian respondents (48%) measure and, therefore, understand what cyber risks are costing their organisations, leaving the C-suite and board confused about how to navigate risk and remediation strategies.
Traditional KPIs for evaluating business risks are insufficient for understanding cyber risk, as they fail to factor in the business cost, lack strategic direction and don’t offer any insight as to how businesses prioritise risk. This is hindering the ability of CISO to make informed decisions about the allocation of resources, leaving businesses vulnerable.
While most organisations are aware of the more important KPIs used to measure the business impact of a cyber attack, there is a clear gap in use and importance of non-security measures such as loss of revenue and productivity, as well as impact on share price. While conventional wisdom suggests a decline in stock price would be a major consideration in quantifying the risk of a cyber attack, it worryingly isn’t a prevalent factor for most businesses.
Ride the wave through actionable insights
In the face of a rapidly evolving attack surface, new approaches to measuring cyber risk are needed to allow businesses to accurately quantify the consequences of cyber attacks. To fully understand your organisation's level of cyber exposure, a holistic approach is required to understand the entirety of your attack surface. This includes identifying the business operations and assets most vulnerable to cyber attacks, including OT and IoT assets.
Once you’ve got a grasp of the area you’re trying to defend against and where the danger lies, detailed threat intelligence is needed to prioritise remediation efforts. As the endless wave of threats continues, security teams don’t have the resources to guess which vulnerabilities need to be remediated first.
Tenable’s recent Vulnerability Intelligence Report revealed an enterprise uncovers 870 vulnerabilities per day across 960 assets, on average. And of those, more than 100 vulnerabilities are rated as critical. There is a clear onus on CISOs to implement security strategies which allow them to understand and prioritise vulnerabilities based on their potential impact on business operations.
Master the tides
Cybercrime is relentless, undiminished and unlikely to stop. To keep pace, CISOs must adopt new approaches to accurately manage, measure and reduce cyber risk. Implementing a robust vulnerability management program will empower security executives to confidently visualise, analyse and measure the business cost of cyber risk. Doing so will close their cyber exposure gap and ensure they’re in the best position to stem the rising tide of data breaches.