Ransomware, data breaches, phishing schemes—cyber attacks can take many forms. Traditionally, the motive of these attackers can often be traced back to some sort of tangible goal. An attacker may want to extort some financial gain from a business, while another may seek to gather sensitive information to commit other crimes, like fraud.
Any breach or lapse in security can lead to potentially devastating regulatory fines, lost resources, repair costs, or even irreparable damage to a brand. Fortunately, in these cases, security teams still have the advantage of understanding what an actor might do or is planning to do based on those goals. Patterns emerge and security professionals can take steps to mitigate risks and deter attackers from going after their business.
For business leaders, it’s a frightening prospect. An IBM report found that the cost of a single data breach can soar well beyond $4 million. And now, the cybersecurity landscape is only getting more fraught with danger and more complex.
The current geopolitical landscape presents a completely different reality: damage and destruction as the goal, not monetary gain.
What do you do when there’s an attacker that sets its sights on your organization to do nothing more than cause maximum destruction and chaos?
Today, with critical infrastructure and other sensitive systems in the crosshairs of state-level actors, the traditional enterprise risk model, primarily aimed at ransomware and data theft, falls short.
Risk modeling level up: The geopolitical threat
How do you beat an attacker who has no motive? If an attacker gains access to your systems, there is no guarantee that any payment will make them relent. Answering this question is something that must be at the top of every CISO’s to-do list.
Oftentimes, these kinds of attacks seek to gain access to critical infrastructure, whether that’s a power grid, water supply, or a government agency’s most sensitive data. And while a business may not appear directly connected to these systems, any government contract, third-party vendor, or business relationship could put them squarely in the crosshairs of a geopolitical attacker.
It’s a reality that more organizations are becoming aware of and troubled by. A survey from the World Economic Forum (WEF) found that 65% of respondents said their greatest challenge to achieving cyber resilience was supply chain and third-party vulnerabilities. Further data from a Verizon report on data breaches found that the percentage of breaches where a third party was involved doubled from the previous year.
This is where the biggest shift in risk modeling needs to happen. Traditionally, the focus has been on where weaknesses exist within an organization’s operations. Now, that assessment needs to account for every factor up and down the supply chain, even stretching to the smallest business partnership—every dependency matters. It’s in these dependencies that weaknesses in security elements like identity and access management (IAM) can arise.
And this is where we arrive at one of the most important components, IAM and the management plane.
Stopping a lurking threat starts with robust access controls
Among the dependencies that pose a threat to security teams, IAM and control of the management plane rank as one of the most crucial. Large organizations have a set of credentials and access permissions that are constantly in flux. Someone who needed access one day may no longer be needed the next.
Likewise, third-party vendors come and go. If those access controls are not strictly monitored, reassessed, and revoked as needed, something as simple as a faulty password or a simple phishing scheme could be enough to let an attacker in.
As organizations reorient themselves te cyber threats that seek to cause chaos for its own sake, success depends on absolute control of the management plane. Step one in building that control is to reshape how access is handed out. In short, it can’t be left to an understaffed IT department.
Security teams need to put extra emphasis on tasks such as continuous credential validation, a comprehensive review of standing permissions—who needs them, who has too much access, and who needs to be removed—and policy shifts to restrict the total amount of permissions and privileges as much as possible. This is particularly important in the context of third-party organizations where engagements may be short with less-known individuals granted access across systems.
A future defined by global threats
The days of paying off an attacker to get your data back or systems back online are quickly fading. That’s not to say ransomware and other financially-motivated attacks are decreasing by any means. The reality is that security teams must account for far more motives, or rather, a lack of a motive altogether. In this scenario, if an attacker gains access, there’s little that will deter them from tearing down everything in sight.
Addressing threats on a geopolitical scale will require alignment from the boardroom down to the security practitioners tasked with keeping systems safe. But more than that, organizations must fundamentally rethink what it means to be prepared. Traditional playbooks centered on detection and response are no longer sufficient in a world where disruption is often the endgame.
Building resilience in this context will mean designing systems, access controls, and operational processes with the expectation that a breach will occur and that the attacker may have no incentive to stop.
Avani is Chief Executive Officer at Schellman, the largest niche cybersecurity assessment firm in the world that focuses on technology assessments. Avani is an accomplished executive with domestic and international experience in information security, operations, P&L, oversight, and marketing involving both start-up and growth organizations. She has been featured in Forbes, CIO.com, and the Wall Street Journal, and is a sought-after speaker as a voice on a variety of emerging topics, including security, privacy, information security, future technology trends, and the expansion of young women involved in technology.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.