Beyond ‘Prepare for the Worst’: A Smarter Approach to Cyber Risk Management

Written By: Bob Maley

Many of today’s security teams believe that “preparing for the worst” is a proactive way to address cyber third-party risk management. They set up immutable backups and cyber insurance to serve as a safety net when they inevitably fall victim to a ransomware attack. Or, they add layers upon layers of defensive security and threat detection tools to find and deter any malicious actors actively attempting to break in. 

While these approaches are a good idea as part of a defensive strategy, they don’t help teams feel confident about their risk posture. With such a quickly evolving threat landscape and increasingly sophisticated tools at attackers’ disposals, there’s always the question of whether your defenses will actually hold up. It’s a question that has kept many CISOs up at night.

But does it have to be this way? Let’s look at three common assumptions and see if there’s a better way to address each situation.

• #1: “We should look for indicators of compromise.”
• #2: “Let’s just add layers to our defensive security to improve our risk posture.”
• #3: “We’ve met X compliance framework, which is the best we can do to reduce risk.” 

Assumption #1: “We should look for indicators of compromise.”

It’s common practice for businesses to set up security infrastructure that finds and flags indicators of compromise: suspicious activity that points to a threat actor who has gained access to your systems.

Yes, threat detection and security monitoring tools are important. But if they’re your first or only line of defense, in many cases, by the time the alert goes off, it’s already too late. Your team will have to scramble and respond to the suspicious activities or even take remediative actions if the attacker was successful to some extent. 

A more proactive approach: today’s businesses should consider adding monitoring for indicators of attack—signals that show they could be attacked. Because the average business leans on dozens of third-party vendors for critical business functions, many of these indicators of attack will come from your surrounding vendor ecosystem. 

For instance, if one of your business-critical vendors has a significant weakness, this will also impact your risk posture. When you have the ability to gauge the likelihood of an attack before anything even happens, your team can start identifying potential weaknesses early and make proactive decisions to protect those critical areas.

Assumption #2: “Let’s just add layers to our defensive security to improve our risk posture.”

Many businesses also try to defend against the “inevitable” by bolstering their defensive security controls. New security tools are always hitting the market, and each one claims to take a brand-new approach to protecting businesses from cyber threats. 

However, just adding more security layers to your company isn’t always effective and gets pricey quickly. Often, the decision to add more layers to your defensive security is based on a whole lot of guesswork and generic resources, like qualitative security matrices. 

It’s really common to see companies shelling out millions of dollars to turn a “high-risk” area into a “medium-risk” area. But how were these values assigned? In many cases, the conclusion was drawn without knowledge of the company’s business goals, resources, or other unique factors. 

As a result, an area of business considered “high risk” could only cause a few thousand dollars in damage if compromised. But because it’s labeled as “high risk,” the company will assume that deploying $1 million of defensive controls to protect said area is worthwhile. In the end, the math doesn’t add up. 

Instead, companies need to make decisions about security controls based on actual financial impact. This way, the cost of the defensive layers won’t outweigh the potential damage costs.  

Assumption #3: “We’ve met X compliance framework, which is the best we can do to reduce risk.”

Compliance is important for meeting customer expectations and legal and/or regulatory requirements. But, it’s not enough to defend your business against cyber threats. After all, compliance is probably the last thing on a threat actor’s mind. They’ll be focused on the value and accessibility of a potential target, not whether it’s PCI compliant, for instance.

Instead, it’s crucial to understand which factors would persuade or dissuade a threat actor from seeing your company as an enticing target. That way, you can take specific precautions around those factors. For example, Black Kite research has uncovered that a company’s susceptibility to ransomware depends on a few common factors, such as location, value, and industry. 

How To Take a Truly Proactive Approach to Risk Management

As we’ve seen, assuming that you will get hacked and preparing some reactive controls is not the best way to manage risk (or get a good night’s rest). Instead, taking a proactive look at your entire ecosystem and making data-driven decisions based on this view can make all the difference. It’s a bit like the difference between buying a smoke detector that tells you when a fire has started or proactively minimizing the chance of a fire by ensuring that candles aren’t left unattended, keeping your electric wiring up to code, etc.

Black Kite specializes in third-party risk management (TPRM), a crucial discipline for identifying key indicators of attack that come from third-party sources. We enable you to take a proactive approach to managing supply chain risk, bringing intelligence from every corner of your ecosystem.

Black Kite provides multi-faceted intelligence, such as:

• Technical cyber ratings for each of your vendors, calculated from industry-standard MITRE frameworks and converted into practical findings.
• Risk quantification, using the Open FAIR™ model to calculate probable financial impact if one of your third-party vendors, partners, or suppliers were to get compromised.
• Ransomware susceptibility ranking based on factors uncovered from several OSINT sources, such as internet-wide scanners, hacker forums, and the dark web.
• Compliance ratings, aligning your TPRM efforts with common frameworks such as CMMC, GDPR, PCI-DSS, HIPAA, and more.

Start uncovering the indicators of attack in your business’s vendor ecosystem with a free cyber assessment today.

And to establish a more proactive approach, check out our interactive guide, “Stay Secure by Staying Ahead: How to Shift From Reactive to Proactive Cyber Risk Management.” (No download required.)