Cyber Threat Analysis Framework for Board Members

One of the most difficult challenges for today’s boards is tackling cyber threats successfully. The topic of cybersecurity is immensely complex and constantly evolving. A major data breach carries the potential for substantial financial and reputational losses. There are no easy answers and yet all boards bear the responsibility for addressing cybersecurity. It’s vital that they step up to the plate and take an active role in it.

While IT professionals are certainly the most knowledgeable about cybersecurity, boards make a mistake in delegating total responsibility for cybersecurity to their IT teams. The reality is that many of the threats come from insiders, and for that reason, it’s important to create an enterprise-wide culture of cybersecurity awareness.

Regardless of where the threats originate from, the board is ultimately responsible for any lack of cybersecurity efforts and handling the fallout from a data breach if one occurs. The best thing they can do to protect their organization and themselves from liability is to set up a cyberthreat analysis framework and ensure that the entire organization is following it from start to finish.

Assess the Cyber Threat Landscape

The first step in setting up a framework for analyzing cyberthreats is to take a look at the big picture. This means gaining a better understanding of the methods that cybercriminals are using to break into systems. Your IT staff is probably the best qualified to understand and dissect this information. They also have the capacity to translate it into layman’s terms and communicate the important points across the rest of the organization.

Organizations that don’t have IT staff may need to consult with a third-party cybersecurity specialist that can work with the board and other employees that understand how the organization operates, what assets could be affected by a data breach and to what extent. The goal of the threat and risk analysis is to establish the organization’s key assets, identify the most probable attackers and what their motivations may be, and determine the controls the organization can put into place to defend its assets. The process also aims to mitigate the vulnerabilities that affect the cybersecurity controls.

Identify Key Assets

What do cybercriminals have to gain by attacking your organization? Think in terms of things that are unique to your organization. This is one of the benefits of working as a collaborative team. Cybercriminals are gaining in sophistication and they nearly always have a specific intent pertaining to their efforts. They are interested in some particular data that you have that they can use as ransom.

If we consider the motivation of past cybercriminals, we can see that intellectual property is of value to nation-state attackers. Other hackers may have an interest in harming your business to the extent that they can damage your brand and reputation. If they were to get ahold of your website content management system, they could take over your website and claim it as their own, complete with their own name and logo.

If you’re like most organizations, you have assets stored in many different locations, and it’s important to identify where they are and who can access them. Be sure to check for backup locations where data is stored. Data may be stored on various local desktops, and if it’s stored in the cloud, it could be stored on a data center that someone else controls.

Who Has Access to the Organization’s Assets?

At this point, you have a list of the information that cybercriminals are interested in and you know where it is. Now, you need to decipher who has access to it. One of the frightening things that you may discover is that many more people have access to data that they don’t need to have access to. This is a mistake that gives attackers a greater chance to steal your data. Since you’ve discovered one problem already, you have the chance to tighten up your controls by limiting access only to those who need it.

Identifying Your Potential Threat Actors

The main groups to watch out for are cybercriminals, nation-states, “hacktivists” and insiders. You may be able to narrow one or more categories into sub-categories. Also, be aware of threat actors that are going after certain industries. Rank them in order of their motivation, capability and the risk of them targeting your organization. Assign values to find the overall possible threat to your organization.

Cybercriminals tend to be motivated by profit and they tend to use malware in their attacks. They may use such tactics as phishing and social engineering to tempt your staff to click on a link in an email that appears to be legitimate.

The analysis will identify the most likely threat actors and the tactics they’re most likely to use. Now you’re ready to start building up your defense.

Assessing Controls and Vulnerabilities

Working in collaboration with IT, determine your existing controls for preventing, detecting and responding to threats. How do they measure up against the methods and capabilities of the threat actors that you identified? At this point, you should be able to decipher vulnerabilities in your organization’s processes and controls. Have you trained your staff in cybersecurity awareness? How strong are your backup processes?

The information that you learn should lead you to some conclusions that you can use to form the framework for a customized cybersecurity strategy.

Your customized cyber threat analysis will also help you to budget to support your cybersecurity strategy, complete with data to back it up.

It’s not possible to defend your organization from every possible threat scenario. This is the reason that it’s so important to prioritize the threats that are most likely to come your way. The threat analysis helps you make informed decisions about how to detect threats and protect against them. Your cybersecurity strategy should be part of a greater cyber-resilience strategy that will help you reduce the chance that your organization will become the target of a cybercriminal’s threat. If the unthinkable happens and you get attacked, you’ll be as ready as you can be to put up the best possible defense.