How and why to conduct a cyber threat and risk analysis

An ethical hacker’s insights into how and why organisations should conduct a cyber threat and risk analysis based on nine years’ experience conducting penetration tests for hundreds of organisations

Cyber attacks are no longer single events, but a sustained campaign by increasingly sophisticated attackers that use a combination of social engineering and technical skill to penetrate your network and gain access to your most important assets. This increase in the complexity and skill level of the adversary means that there is no single solution to preventing cyber attacks.

Traditional security spending focuses on introducing another protective or detective product, but this no longer effective in isolation. There needs to be an overall cyber security strategy focused on cyber resilience, and driven by a threat-led approach that focuses on the key assets of the organisation, and the motivations and capabilities of the most likely attackers.

Security budgets are limited, and this approach allows you to focus these limited resources more effectively to protect the assets that are most likely to be targeted.

In order to establish a baseline for a threat-led cyber strategy, it is useful to perform a threat and risk analysis exercise. Threat intelligence is used to gain a picture of the current landscape and the methods attackers are using. In the long term, this information can be purchased as a threat intelligence feed that provides you with analysis specific to your industry sector.

However, this requires that you have staff in place that can understand this information, disseminate it in digestible form to the right people, and act on it in terms of the overall cyber security strategy. If this is your organisation’s first step into a threat-led approach to cyber security, then it unlikely you will have these resources in place.

Continue reading…