According to Russian vendors, Russia has remained the country most attacked by hackers for the past two years, which means that hundreds and thousands of companies are hit every day. In such conditions, the leaders of the organization should have a difficult question: what is cyber risk for me and is my business really protected from them? In this article, we will try to figure out how to formulate key business risks or events that are unacceptable for organizing and why it is important to assess your security by white hackers.
The number of cyber threats to business is constantly growing – these are primarily data encryption, DDOS attacks, theft of customer personal data, temporary or permanent shutdown of production. That is, any significant risks or events that can be considered unacceptable for the business, capable of having a critical negative impact on its work.
Moreover, such events for each area of business and even an individual company may vary in the degree of possible damage. For example, the leakage of personal data of customers for large service organizations means a serious reputational risk. Sometimes such events even lead to companies leaving the market. For a manufacturing company, for example, hacking an IT logistics system is a big problem. The work of the warehouse may stop. But sometimes operational processes in such a business allow to cope quickly with such force majeure. This means that determining the criteria for unacceptable events turns into a complex business task, which must be treated as a separate project.
Along with the growth of threats, the costs of data security and IT systems are also increasing. According to a study by DNA Team, in the first half of 2024, 50% of Russian companies increased their spending on cybersecurity. Among them, financial companies, retail and logistics were in the lead.
But an effective end-to-end data protection system does not depend solely on budgets, because often a business is not sure that it protects the really “weakest points” in its IT infrastructure.
How to check business information security?
The need to take into account the specifics of business processes dictates new rules for the overall assessment of cybersecurity companies. According to the classics of the genre, information security is in the contour of interests of IT and information security departments of companies. However, technical specialists often may not take into account the nuances of organizing business processes and cannot determine the criticality of a particular risk.
In addition, it is important to exclude the possibility of manipulation by the IT departments of the company that provide security. They have their own interests. They usually consist in reducing the possible range of threats and reducing the scope of the project (reducing the “work front” for themselves). Therefore, the most rational way to draw up a terms of reference for checking the digital security of a company is to do this with the participation of key managers, C-level managers. They see a general picture of the functioning of the enterprise and can act as mediators of different points of view on IT security.
The first step for a C-level manager who decided to increase the company’s security against cyber risks is to realize the importance of cybersecurity, engage in goal-setting, define criteria and indicate what is an unacceptable information security event for the company. That is, find those business processes that will suffer from successful cyber attacks and lead to losses. However, to solve this problem completely, the skills of manager of even the highest level are not sufficient, because it is at the intersection of different business areas: from IT to management systems. Therefore, it is solved in the format of a general “brainstorming,” where top-level managers and representatives of the main divisions of the company participate. The PR director will talk about how important the risks of leakage of personal data of customers are, financial director will tell about what losses the conveyor will lead to for one day due to hacking, the retail division – about what the CRM hacking that supports the sales process will lead to. A joint discussion will identify areas of the IT infrastructure that are most at risk and where data is not duplicated. An additional plus will be the opportunity to see weaknesses in the organization of business processes in the enterprise and develop an adjustment plan. Then the CEO must prioritize which risks are important for business in the first place. Its task is to identify those that can cause irreparable damage to business.
How to conduct a comprehensive business cybersecurity audit?
The next step is to find a tool that will allow the CEO to assess the quality of cyber defense. Such verification should be comprehensive, objective and relevant to business goals and risks in a particular company. Many organizations use penetration tests, during which “hackers” try to hack into their IT systems. But such checks allow you to see only technical vulnerabilities and do not give a broad picture of the state of IT protection in the company. On the other hand, checks on the Bug Bounty program do not answer the question of whether hackers can cause critical damage to the company. The same applies to assessing cyber defenses with the Red Teaming system. The relevance of verification to the company’s business goals and its complete objectivity is achieved only during large-scale tests, which are somewhat reminiscent of a large-scale “IT quest,” when the company’s IT infrastructure is subjected to a variety of attacks: from DDoS attacks to social engineering methods. Thus, not only the vulnerabilities themselves are determined, but also the ability of IT systems and specialists to respond to them, the speed of this reaction and its effectiveness.
Tests of business cybersecurity begin with the fact that a special expert council (it exists only in this format of checking digital security) determines the range of potential threats and possible actions of hackers aimed at hacking business IT systems. On its side there are the design and description of the list of key risks in the form of unacceptable events for the business. The expert council acts as a consultant for the business, which recommends what exactly should be included in the audit.
The list of elements for verification is formed on the basis of those systems that can hypothetically be hacked by hackers, and the actions that they are hypothetically capable of performing. A number of such hypotheses are created and a list of potential vulnerabilities in companies’ IT systems is determined. For example, it may or may not include social engineering. Companies have the opportunity to include in the test scenario those types of cyber incidents that they consider highly likely.
Then the amount of remuneration that researchers are entitled to for implementing a controlled hacking of the company’s IT system is determined.
Comprehensive business information security checks are not a one-time project. In companies where information security is one of the priorities, they must be repeated periodically. However, their scripts may be supplemented with new invalid events. One of the main tasks is to assess the amount that will not permit the attackers, with all their desire, to inflict critical damage on the company. 100% security is almost impossible to achieve: at least it will cost the company an inadequate budget. But a systematic increase in cybersecurity spending is normal practice.
How to find universal keys to cybersecurity
There are a lot of ways to check the cybersecurity of a business, but most of them are irrelevant to its business processes, remaining in the sphere of influence of IT departments. The point is the lack of qualitative assessment criteria related to the direct work of the business. These criteria can be invalid events. The format of cyber tests helps companies determine the degree of risk of these events and even the potential cost of preventing them. Finally, tests assess the effectiveness of cybersecurity investments. For example, if a company invests hundreds of millions of rubles a year in it, and the price of hacking, as shown by cyber tests, is only one million, then it has something to think about.
By Ilya Zabegaev, Product Director, CyberTesting