Today, just about everything is connected to the Internet. Although higher levels of inter-connectivity has made business much easier to conduct in many ways, this inter-connectivity has brought with it myriad risks that, without proper attention, could manifest into severe problems affecting business processes, continuity, and even result in trouble from a lack of compliance.
However, digital risk on the Internet is not insurmountable, and with enough attention in the right places, a business can easily navigate the risks posed by the various technologies the Internet brings with it.
What is Digital Risk?
First and foremost, it is important to understand digital risk. Of course, there is little consensus for a full definition of what exactly digital risk is, but we can effectively boil such a definition down to “anything involving IT components, from individual computer workstations, local area networks, or local databases, to anything involving the Internet, that may pose a risk to business practices and continuity.” Thus, digital risk is both exceedingly broad yet highly specific.
There are many frameworks for understanding and organizing digital risk, most often by identifying distinct domains under the digital risk umbrella. One framework identifies these domains of digital risk:
- Cyber Threats
- Data Leakage
- Reputation Risks
Whereas another framework defines three other domains:
There is significant overlap between these two frameworks, enough that we can synthesize a more complete and robust framework:
- Active Cyber Threats – Offensive campaigns directed against the organization
- Passive Cyber Threats – Compliance failures from within the organization
- Brand and Reputation – Pessimism surrounding the organization’s brand, which could negatively affect the organization’s overall reputation
- Physical – Insider threats, natural threats to infrastructure
Understanding Risk Domains
Active cyber threats involve threats from outside of an organization that an attacker, both deliberately or opportunistically, may seek to exploit. This includes distributed denial-of-service (DDoS) attacks, phishing, ransomware, theft, or anything else involving attacks or unauthorized access against an organization.
Passive cyber threats are most often a form of compliance failure, such as mis-configuration or non-configuration issues. These threats come from within an organization as people negligently perform their jobs. The most common form of this type of threat is failure to secure some sort of Internet-facing infrastructure, such as a cloud-based database or other type of server. While this may be viewed a passive from a threat perspective, such failures can destroy an organization in one fell swoop, while often going unnoticed as the organization prioritizes active threats and vulnerabilities.
Brand and reputation issues have become highly amplified in recent years with the rise of social media. If an organization either does something wrong or, as is often the case, is perceived to have done something wrong, social media users will use their platform to complain about the organization. These complaints have the potential to grow, especially with online petitions to serve as somewhat of a central rallying point for activists.
Physical threats are any threats to IT infrastructure that are not digital. This may include insider threats who may steal intellectual property or sensitive data, as well as natural disasters which damage server farms or other connectivity infrastructure. Terrorism, as well as simple accidents such as a car running off of the road into a utility line, also falls into this category.
With these four domains, an organization has visibility into virtually all areas of security that may affect their organization. Using an appropriate threat model to define each domain and how it poses a potential risk to the organization or business continuity practices, security teams can put in place robust intelligence collection and analysis mechanisms for informing leadership as to the state of threats facing the organization and its business needs.
Risk Management and the Intelligence Cycle
Although the idea of digital risk sounds terrifying, once it is broken into its various domains, it becomes quite manageable. Using the intelligence cycle, threat models, and technical frameworks, such as Mitre PRE-ATT&CK, organizations have all the tools necessary to monitor, mitigate, and remediate both constant threats and any threat that may appear without any prior warning.
Once leadership has defined the domains necessary for its organization, security teams can develop collection requirements to begin monitoring for various risk types. Some domains require more investment and attention than other domains, such as active cyber threats versus brand and reputation monitoring.
Active cyber threat monitoring involves vulnerability scanning, robust log reviews, 3rd party infrastructure monitoring, investigative capabilities, and its own intelligence infrastructure, where brand monitoring generally only requires a review of social media, open source searching, and the capability to identify trends and their depth in near real time.
With the proper infrastructure in place for each domain, collection and analysis can proceed, providing all levels of the organization proper intelligence with which leaders can make decisions to direct both operations and further intelligence requirements, thus ensuring a complete cycle which continues to inform itself without fear of interruption.
Frameworks Are Meant to be Adapted, Not Followed
As with any type of framework, individual organizations must adapt them to meet that organization’s idiosyncratic needs. Although this blog only addressed four domains, organizations may feel that other domains require their attention at the expense of those listed above. In the end, the risks faced by individual organizations are specific to that organization and its particular operations.
However, a failure to recognize the importance of certain domains can come back to haunt organizations if an incident were to occur. For example, many high profile hotel chains long neglected certain types of active cyber threats and were eventually attacked, causing massive data leaks involving the personal information of millions of customers. In the same vein, unsecured and improperly secured cloud databases are discovered every day, sometimes containing the highly sensitive data of millions of individuals.
To understand how your organization can monitor threats to your digital footprint, contact DigitalStakeout today.