Security Shift: From Cyber Threat Intelligence to Cyber Risk Intelligence
The traditional approach to cybersecurity is broken.
Data tells the tale: Despite the development and evolution of new security systems and technologies, attackers continue to see success. Despite decades worth of exposure to phishing attacks, for example, enterprises still struggle to detect, contain, and mitigate the impact of these threats.
Or look at the growing risk of ransomware.
Driven in part by the shift to remote and hybrid work, ransomware attacks rose by 92.7% in 2021 compared to the year before, and thanks to the emergence of new models like ransomware-as-a-service (RaaS), would-be attackers can now access the tools they need to encrypt corporate data through a simple e-commerce model. In other words, they pay for the payloads they want, while malicious code builders offer "customer support" to help their attack efforts succeed.
The result is a harsh truth: The focus on identifying cyber threats as a means to reduce their impact isn't effective in isolation.
While some attacks will come under scrutiny, many more will slip by unnoticed. Consider that in 2022, the average time to detect and contain a breach rose to 287 days. In practice, this means that attackers often have almost a year to explore and exploit corporate systems before they're found and their attacks are foiled. It's no surprise, then, that average data breach costs also grew in 2022, up from $4.24 million in 2021 to $4.35 million this year.
Thankfully, it's not all bad news.
By shifting policies and processes to integrate both cyber threat intelligence and cyber risk intelligence, businesses are better equipped to take action when attacks occur. In this article, we'll break down the difference between threat and risk intelligence, explore some common challenges in third-party cyber risk management (TPCRM), dive into current examples of cyber risk approaches, and take a look at what's on the horizon for this security shift.
Cyber Threat vs. Cyber Risk Intelligence: What's the Difference?
Cyber Threat Intelligence
Cyber threat intelligence has been gaining ground as a way for companies to reduce the likelihood and impact of cyber attacks. In practice, cyber threat intelligence seeks to answer three questions:
Who is coming after us
Why are they targeting us
How are they doing it?
Consider a Fintech firm that offers online banking transactions. Cyber threat intelligence efforts look to pinpoint hacker groups or individuals who are prone to attack financial firms, identify data sources these attackers are likely to target and compile a list of likely threat vectors.
For example, threat intelligence efforts might identify a group that regularly goes after the customer data held by digital financial firms and uses ransomware as their primary attack method to break down security doors. Based on this intelligence, the company might choose to spend on more in-depth security training, purchase new solutions such as next-generation firewalls (NGFWs), and create redundant data stores to reduce the impact of a successful ransom attack. Despite its efficacy in dealing with known issues, however, threat intelligence comes with a natural blind spot since it focuses on likely attacks from identified actors.
But what about unexpected attacks from unknown sources? Simply by existing in a digital space, companies open themselves up to potential threats from any direction, at any time, meaning the targeted approach of cyber threat intelligence can only take companies so far.
Cyber Risk Intelligence
Cyber risk intelligence offers a new approach to help defend against attacks no matter where they come from or what they target. Put simply, cyber risk intelligence is the ability to collect, standardize, and analyze information that pertains to risks, rather than threats. This means that while threat intelligence might highlight a common attack vector and actor, it can also lead to over-focus on threats themselves, rather than underlying risks.
Cyber risk intelligence is the ability to collect, standardize, and analyze information that pertains to risks, not just threats.
One of the most common sources of risk? Third-party providers. It makes sense: With enterprises turning to third parties for everything from cloud computing resources to mobile applications to data storage to security controls, risks expand exponentially. From the security practices of individual vendors to the connections they create with corporate networks, risks are everywhere — based on data uploaded to the CyberGRX Exchange, 20% of an enterprise's third-party portfolio typically exhibits a high inherent risk profile, which means they're likely to experience a cyber event that would expose their business to harm, in turn causing impacts that are significant to connected enterprises.
Cyber risk intelligence aims to provide companies with complete visibility into their third-party risk — and how it can be reduced.
Common Challenges with TPCRM
Third-party cyber risk management (TPCRM) frameworks offer a way to centralize and standardize third-party risk analysis. When it comes to TPCRM, however, several challenges are common.
First is lack of investment. According to data from KPMG, 61% of financial firms say that TPCRM solutions are still undervalued in the enterprise. As a result, TPCRM programs may not get the funding and support they need to effectively address emerging threats.
Next is a lack of visibility — 59% of businesses say they're frustrated by the lack of visibility offered by current TPCRM solutions, which could increase overall breach risk. 30% point to issues with integration and deployment, while another 29% say they lack the appropriate skills to make best use of TPCRM.
Concerns are also emerging around inconsistent reporting and analysis. Here's why: If every vendor has its own process for risk intelligence documentation, enterprises are left trying to translate multiple sets of results into a single, cohesive whole — making it more likely for security teams to miss the telltale signs of attack.
Overcoming these challenges means finding best-fit TPCRM solutions capable of addressing common challenges. Key components include the advanced machine learning algorithms to help automatically identify and detect security blind spots, paired with a two-sided assessment process that allows third parties and enterprises to create a single, shared, and standardized assessment framework, making it possible to collaborate on efforts to reduce total risk.
How is Cyber Risk Intelligence Being Used?
Third-party risk is just the beginning. Now, companies must be prepared to address Nth party risk.
In practice, Nth party risk speaks to the vendors of vendors, of vendors — and however far down the chain continues. Think of a large retail enterprise that outsources the manufacturing of products to a third-party vendor. That vendor then has multiple vendors that assemble specific components for these products, and those vendors have vendors who handle materials sourcing and transport.
The result? An Nth party vendor responsible for transporting materials to a manufacturer could be the origin point of an attack. If attackers can breach Nth party vendor controls and move laterally across their network into production line networks, manufacturing networks, and finally retail networks, companies could be victimized by attacks that are unexpected in both source and scope.
Cyber risk management solutions offer a way for businesses to visualize their entire risk profile, regardless of the degree of vendor separation. This makes it possible for teams to pinpoint potential risks and take action before attacks happen. Effective TPCRM solutions also make it possible to reduce the time required for companies to identify and respond to potential threats. As noted above, the average detection time in 2022 remains just under 300 days, which gives attackers ample time to exploit key systems and install malware payloads. This is even more worrisome if attackers have been working their way up Nth vendor network chains — even once threats are detected, attacks may simply shift down a level and bide their time. Complete visibility, meanwhile, makes it much harder for attackers to hide.
What's Next for Cyber Risk Intelligence?
While cyber risk intelligence solutions can help companies better mitigate and manage potential attacks, there's always room for improvement. So what's next for risk intelligence? Avenues of expansion include:
Improved collaboration between first-party and third-party businesses is on the horizon for TPCRM efforts. If businesses commit to framework standardization and information sharing, everyone benefits — enterprises and vendors are better equipped to spot trouble coming, while customers enjoy confidence in network security efforts.
Evolving cyber risk intelligence efforts will also help cultivate new response strategies. One of the most promising is the use of artificial intelligence (AI) to proactively detect and respond to threats. The caveat? For AI solutions to learn, massive amounts of data are required. As a result, more robust cyber risk initiatives that include Nth-party vendors could help companies cultivate adaptable AI security efforts.
The sheer amount of risk data now generated by organizations creates both big benefits and potential problems. While some of this data is relevant to current and emerging concerns, some can be safely discarded. The challenge? Knowing which is which. Next-generation cyber risk intelligence solutions will provide more effective data curation to help companies make data-driven decisions that keep critical resources safe.
Attacks happen. And they're going to continue happening as attack surfaces expand thanks to the increasing use of third-party vendors, the expanding use of cloud-based services, and the growing adoption of IoT frameworks. In this evolving landscape, effective defense depends on both cyber threat intelligence and cyber risk intelligence. Used in concert, these security efforts can help improve threat visibility, identify potential areas of concern, and provide the impetus for targeted security spending that frustrates attacker efforts.
With attacks increasing every day, it’s never been more critical for security professionals to see the big picture. By leveraging cyber risk intelligence, you can decrease your third-party cyber risk and improve your detection and response. Book a demo to learn more.
Get Cyber Risk Intel delivered to your inbox each week: