All too often, when discussing what could happen should a company suffer a cyber attack, security leaders will fall back into techno-babble and discuss the technical details of the potential incident. This is frustrating for business leaders who do not have a technical background, and this damages executive support for the security function. If the business leaders cannot understand “why” you need funding in terms that they understand, you are not likely to get it. This is what this chapter will discuss, what are the potential harms that can result from cyber attacks and how to prioritize them based on what your business does.
The threats of cyber attacks at a business level can almost always can be categorized into the following eight groups, which can be remembered by the acronym FELT DIES. This acronym is useful in not only helping remember what these risks are but also their relative likelihood for most companies.
Six of these attacks (Fraud, Extortion, Theft, Damage, Espionage, Sabotage) are first order threats, in that the threat actors discussed in Chapter 1 are directly behind them. The other two I classify as second order threats. Loss, because while the threat actors are not directly behind the loss (if they were, it would be theft or one of the other threats), this event is cyber related and can cause significant harm to the business. Infractions, because of the likelihood of harm occurring to the business as a consequence of the first order attacks, including lawsuits, fines and sanctions, not to count customer loss and share price impacts.
It is also important not to confuse how your enemies will carry out their attacks (phishing, hacking, etc.), with the objectives of the attackers. In Part Two, we will explore the common means of attack and how they relate to these threats.
When discussing risk with your business leaders, be sure to use the following terms for the threats that your company is most vulnerable to. This keeps the conversation at a level that most executives can understand, as these threats are non-technical issues most business leaders can relate to.
This chapter shows you how to identify and prioritize the most likely cyber related threats to your business. This prioritization will inform the controls that you implement to counter these threats in Part Two — Tactical Risk Management.
Fraud is theft using manipulation and deceit, as opposed to the use of force as in a robbery. Examples of fraud include payroll fraud, benefits fraud, bank account take over and wire transfer fraud, etc. Fraud is a cyber-related risk because criminals typically use phishing, social engineering, and other means to gain employee credentials or trick employees into giving them access they need to carry out the fraud.
According to the FBI’s Internet Crime Complaint Center (IC3) 2020 Internet Crime Report, victims lost the most money to business email compromise (BEC) scams, romance and confidence schemes, and investment fraud. With almost 800,000 reported complaints to the IC3 and over $4.1 billion in reported losses in 2020 (which is estimated to represent only a small fraction of the actual losses and incidents), all businesses, regardless of their size, are targets for fraud attacks. Small organizations are targets because of their lack of sophistication in spotting the attacks, while large organizations are targets because of their lack of internal controls to help spot the attacks. The increase in people working remotely is speeding up these trends as more work is conducted via phone and email, making physical verification of identifies more difficult.
Extortion is the threat of harm to extract money or some concession from a company. Ransomware is probably the most common example of this today in that companies are forced to pay a ransom to get their data returned to them or not released to the public. Other examples of extortion are denial of service attacks, where companies are extorted to pay to regain access to their online services or the theft and threat of release of sensitive information stolen from a company unless a ransom is paid.
Worldwide, ransomware cases are rising sharply, with 68% of organizations now estimated to have been affected by ransomware. Governments, businesses large and small, and companies designated as critical infrastructure have all been victims of ransomware — no organization is immune. Not only are ransomware attacks pervasive, they can also be deadly. Businesses can be severely damaged if not destroyed by a ransomware attack. In addition, lives have been lost because of the disruption of IT systems caused by an attack.
The default expectation of most executives, that their cyber insurance would cover the losses or damages from a ransomware attack, is increasingly no longer the case. Insurance companies are specifically writing coverage for ransomware out of their policies, and where insurance is still available, the premiums are rising sharply.
Loss covers any loss of information that causes financial harm to companies. Examples range from sending sensitive data to the wrong people, all the way through to losing sensitive and reportable data when laptops or USB devices are lost, or information is sent via insecure means. For health care information in particular, the penalties can be severe even for relatively small numbers of records.
For security leaders, what you need to understand is what sensitive information their organization may receive, process, or have access to (see Chapter 1.3 — Information), who within their organization has access to it, where it is located, and how it is protected. Finally, they need to know or at least know where to find if needed, the reporting requirements and consequences of failure to report to regulators or customers should there be a breach of this information, regardless of the cause (intentional or unintentional).
Theft is the direct theft of information or resources from a company for financial gain (as opposed to espionage as discussed in section 3.7 below). This typically occurs when criminals or nation-states hack computer systems to gain access to sensitive information that can be resold on the dark web, such as cardholder data. This can occur both directly when a company’s systems are attacked, and indirectly when information that they have shared with a third party is stolen from the third party.
Besides theft of information, attackers can also steal resources for the company by hijacking the company’s devices for their own purposes. Usually this purpose is the mining of cryptocurrency (cryptojacking), but these devices can also be incorporated into massive botnets that are rented to other criminals to conduct malicious activities such as denial of service attacks as part of an extortion attempt, or as part of phishing campaigns to host illegitimate websites to steal information from unsuspecting users who have been directed to them. It is not only servers and PCs that are used in these attacks — vulnerable commercial and consumer routers are often compromised and incorporated into botnets in order to conduct criminal activities.
Increasingly, theft is becoming a two-sided problem. One side is direct theft when a company is targeted specifically because of the data that they hold that can be resold. The second side is when sensitive data is stolen as part of a ransomware attack. Companies are now facing the need to pay to get access to their encrypted files restored, and they are being forced to pay so that data that was stolen as part of the attack is not released or sold on the dark web. The consequences of such a release could ruin the company’s reputation with its customers and expose it to customer lawsuits and regulatory sanctions and fines.
Damage is the reputational harm that can occur from an attack. This can either be because of another attack, such as theft or extortion, or it can be the direct intention of the attacker, typically hacktivists, to embarrass the company.
Website defacement, which is a common tactic of hacktivists, is an example of cyber-driven reputational damage. While it may cause little direct harm to the company operations or the information that they hold, the fact the attackers can successfully carry out the attack calls into question the effectiveness of a company’s security program and any assertions they have made to their customers about it.
Infractions are failures to follow either contractual, industry, or regulatory requirements related to cyber security and privacy. These consequences can include lawsuits, fines, and other sanctions.
Examples include the lawsuits that are inevitable when any large data breach occurs. These can come from both directly affected consumers, and from shareholders who will sue because of the impact that the incident has had on the company’s share price.
Regulatory fines and actions can range from private actions when industry standards such as PCI are violated to government sanctions when privacy regulations such as GDPR or HIPAA are violated. The fines that can result from these privacy-related events can be significant.
Espionage is spying and information theft, mainly for nation-state purposes but also for corporate purposes as well, when nations (or companies) spy will on each other to gain trade secrets or some other competitive advantage. Nation-states are the primary actors behind espionage, with Russia and China being the leaders in the theft of US intellectual property to support their military-industrial efforts.
Sabotage is the attack on a company or a nation’s infrastructure to cause economic or direct harm to the company or nation. This is not always nation-state driven, as ransomware can also be considered sabotage, especially where those who have introduced the ransomware into a company have no intention of collecting the ransom. They are attacking the company strictly to do damage and disrupt their operations, using ransomware as the means of attack.
Any organization that is in a critical infrastructure industry has to be on guard against cyber sabotage. Size is not a factor: from the largest power distribution network down to the smallest local water treatment center, all are at risk.
Now that you know the consequences of attacks that you are likely to face, it is time to pick those which are more likely to occur based on your company and industry, and which are the biggest concerns to your board and leadership.
Considering the epidemic of ransomware occurring across all industries and government agencies, extortion is likely to top the list for any company, however, the rest are more nuanced. A good way to develop the ranking is to hold meetings with the stakeholders involved, explaining the options, providing examples, and then asking them to rank the options from most concerning to least concerning.
Don’t worry about the exact ranking order. It is better to take the eight threats and order them into two groups. The ones you are most concerned with, and those you are less concerned with. The first group of consequences is what your information security program should be focused first on preventing, and as you evaluate controls, keep these top of mind in terms of the control’s ability to mitigate these threats.
Once you have explained the concepts of cyber risk in terms of business threats, some executives will order you to ensure that all these threat actors are countered. If this is the case, you need to remind them that while countering all the threats is the intention, the order that you do so should be guided by mitigating those that are most likely and impactful first. In other words, those which represent the highest risk to the organization.
This is a draft of the content from my upcoming book on Heuristic Risk Management. The anticipated release is Q1 of 2022 and it will be available through all major book retailers in both print and ebook. Footnotes are not included in these drafts, and all drafts will be removed from this forum when the book is published. Comments are welcome if there are areas that you feel are unclear or missing information. Since these are drafts, spelling and grammar issues are likely and will be corrected in the final release.