Understanding cyber risk, getting better visibility of your exposures, and measuring business impact should be at the heart of your organisation’s cyber security strategy.
Aon’s 2021 Global Risk Management Survey – a survey of businesses around the world – rated the risk of cyber-attacks/data breaches as the number one threat facing organisations today: cyber continues to top the agenda for businesses when it comes to considering the ‘big ticket’ risks that threaten their operations. The findings reflect a dramatic escalation of the cyber risk posed to businesses in recent years, fuelled in most part by an increase in ransomware attacks; up 323 percent from Q1 2019 to Q4 2021.
“Ransomware has been around for a long time,” says Cybereason’s Greg Day – VP & Global Field CISO, “In the last couple of years we have seen ransomware go through a number of evolutions, increasing its scope and complexity, including double and triple extortion, dramatically increasing the potential business impact.” The ransomware upsurge isn’t going to change anytime soon because it’s so lucrative,” adds Aon’s Andrew Catley – Director of cyber security, EMEA. “A ransomware investigation we are currently conducting, the demand is in the region of millions of dollars. The client is uninsured and what has traditionally been seen as an IT problem is now a real risk to their balance sheet.”
Cybereason’s 2022 Ransomware: The True Cost to Business Study reported 80% of those that paid a ransom, were hit again. For organisations, the upshot of this treacherous cyber threat landscape is a critical need to build a better understanding of the actual cyber risk facing their business, how they can gain greater visibility into their current exposures, how to quantify business impact and how to target critical mitigations. “It’s where an ‘intelligence led and risk informed’ compromise assessment exercise can pay valuable dividends,” says Catley, in helping organisations understand whether they’ve already been compromised, and/or where there are weaknesses and vulnerabilities in the network.
Understand the Cyber Risk
“Truly understanding the ‘real’ impact of cyber risk is the next step in cyber maturity for organisations who already have their cyber security basics in place,” says Aon’s Kraig Rutland – VP, Head of Business Development – Cyber Security, “but while it’s easy to say, it’s harder to achieve. Many organisations have invested heavily in risk mitigation strategies such as developing their security operations, buying tooling, reviewing processes, and hiring security teams.” Even while they’re doing that, Rutland adds, the attackers are also continually investing and increasing their scale and sophistication of attacks. “It can be hard to remove yourself from the day-to-day ‘business as usual’ to ask whether you really understand the evolving risk, which is where we start talking about perceived versus actual risk. You could be doing all the right things in relation to perceived risk facing your business, but what’s the reality for the threat actors - what is the reality of the risk? Is there an additional assessment layer you should investigate?”
Catley agrees, pointing out that some organisations will believe they have secured their network perimeter and concluded that everything inside is safe. “If an organisation’s perceived risk is the perimeter, they invest heavily in securing it, but they can get blinkered and may not always be taking an inside-out-approach as new threats emerge. If the perimeter is breached, what then? It turns out, the actual cyber risk is not the perimeter; it’s the business-critical legacy system sitting on their network that is being overlooked because they have put so much emphasis on one part of their security, rather than taking a more holistic approach.”
It’s possible to only understand the cyber risk to the business once the business itself knows what its mission critical processes are, adds Day: “Many of the organisations I speak to are unable to confirm what their critical business processes are and what a cyber attack to a particular part of the business would mean for the wider organisation.”
“A compromise assessment can pay valuable dividends in helping organisations understand whether they’ve already been compromised, and/or where there are weaknesses and vulnerabilities in the network.”
Contact us >
Visibility Through the Fog
Visibility into their current exposures – both technical and financial – is also hugely important but underestimated says Catley. “I’ve often led an investigation where the client is unable to give even an approximation of how many assets they have on their network.” But visibility is a complex problem, says Day, “especially as supply chains get bigger and bigger, while the use of the cloud has further exacerbated the problem.
The use of SaaS applications, online collaboration tools, and agile development means organisations have never been in a worse state from a visibility perspective.” Which is where a compromise assessment can be so invaluable for a business wanting to know exactly what is on their network.
A compromise assessment is a targeted review of an organisation’s estate looking for indicators of malware, breaches, or other evidence of unauthorised access. Threat actors understand the need to act covertly and are very successful at circumventing traditional security tooling like endpoint protection, “If you don’t know what’s there, how can you begin to understand and manage the risk?” says Catley. “A compromise assessment provides clarity and visibility as to what is on the network, as well as understanding if you are currently or have been historically unknowingly the victim of an attack. One part of the business – such as the research and development team – may have an environment up and running, for example, that the IT team does not know anything about. A compromise assessment provides clarity, which is key to managing risks.”
However, the results from the assessment – often very technical – need to be relevant to an executive audience, says Rutland. “It’s not just visibility but the right kind of visibility, and at the right level. Being able to translate the outcome of a compromise assessment to an executive audience is key because that will drive decision making, and investment choices.” It can be very difficult to gain a holistic view as to what these risks might mean to a business. Rutland adds, “which is why Aon has developed a compromise assessment capability to bring it all together: technical insight quantified and expressed in a way to make informed mitigative decisions. This also aligns with Aon’s model for sustained cyber resilience – the Cyber Loop - we aim to encompass all elements across different stages of the Cyber Loop – from assessment, through to mitigation, transfer, and recover.”
Business Impact
The third stage after understanding an organisation's cyber risk and getting better visibility to the exposures is around business impact. “Do businesses really understand the scale of the risk, not just technically, but financially, to a level where executives can make informed decisions, both reactively and proactively?” says Rutland.
A common complaint from CFOs adds Day, is that cyber security often seems to exist outside the organisation’s budgeting requirements. "A CFO says he expects all departments to cut costs, yet too often cyber security wants a pass, what's worse, part way through the year, they present another new risk scenario requiring even more budget to mitigate it. Business leaders want to quantify between risk and associated costs, versus actual spend. My challenge to CFOs is to ask their security teams to quantify the value each cyber security investment makes. There are often many differing solutions with differing costs and returns, this should be a business decision".
Risk quantification is key, adds Rutland: “Our approach leverages Aon’s ability to quantify and financially model risk based on detailed technical analysis, which makes it much easier for organisations to understand the total cost of cyber risk and, in turn, validate the cost benefit of risk management and mitigation strategies.”
Defend forward
Ultimately, Day recommends a ‘defend forward’ approach to cyber risk to help “build cyber security that allows an organisation to scale and keep pace with the challenge”. That proactive stance demands an organisation takes steps to understand its cyber risk, improve exposure visibility and measure business impact. Using solutions like Aon’s Cyber Compromise Assessment, an organisation can bring more certainty and clarity to an ever-evolving business risk, helping them to make better and more informed decisions.
This paper constitutes information only and is not intended to provide advice. Professional advice should always be sought regarding insurance coverage or specific risk issues.
Aon’s Cyber Solutions offers holistic cyber security, risk and insurance management, investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
Aon UK Limited is authorised by the Financial Conduct Authority.
©2022 Aon plc. All rights reserved.
Cybereason offers cybersecurity software and cybersecurity services to help clients defend themselves from cyber threats.
©Cybereason 2022. All Rights Reserved.