Most businesses prepare for a scenario where attackers want something, whether that’s access to proprietary information, money — or both. But what do you do when an attacker has no motive? Avani Desai of Schellman explores how organizations can reorient their risk management approach to prepare for a new age of geopolitical threats.
Fraud, unauthorized access to IT systems, data breaches, there is no shortage of risks for businesses today. Last year, IBM reported that the cost of a data breach was, on average, $4.4 million, and that number isn’t getting lower anytime soon. For business leaders, security professionals and boardrooms, these threats aren’t new. If an attack, like a case of ransomware, did succeed, there were still options to recover. Ransoms can be paid and data or systems can be restored. But now a new problem is emerging. How do you plan for, and respond to, an adversary that has no motive?
Geopolitical considerations have shifted drastically in recent years, meaning businesses could find themselves in the crosshairs of an attack. Whether it’s aimed at critical infrastructure like a power grid or water supply or government agencies that house troves of sensitive data, businesses up and down the supply chain are vulnerable.
Risk is changing, and the strategies that have defined years of security compliance must adapt to keep up with the threat.
Risk modeling for an age of uncertain geopolitical threats
Increasingly, boardrooms are starting to realize the importance of geopolitical threats. A recent survey from the World Economic Forum found that 64% of organizations are now accounting for geopolitically motivated cyberattacks, including disruption of critical infrastructure or espionage.
So, what exactly is changing with that realization? Traditionally, the risk models embraced by business leaders have centered around where a business’ operations are. That means focusing on the specific places where sensitive data and valuable assets lie and the systems intended to secure them.
That approach, while effective in some instances, is proving to be incomplete for the purposes of a more determined attacker. When the motive is just attacking for the sake of attacking, the financial incentives that may make a seemingly more secure organization not worth the trouble to the attacker disappear. Once an attacker sets their sights on a target, they’ll stop at nothing to break through.
And this is where a more comprehensive approach to risk needs to take hold. In this context, dependencies span a few different attack vectors. Everything up and down the supply chain, third-party vendors, partner organizations, even external business relationships all represent dependencies that can be exploited. Couple these vulnerabilities with an organization that holds government contracts or is involved with critical infrastructure and an otherwise innocuous business quickly becomes a major target for state-level actors.
Any one of those dependencies could result in an unauthorized individual gaining entry and unleashing chaos on critical systems. Security posture starts here with identity and access management (IAM) controls.
Deepfakes Are Now a Board-Level Risk & Regulators Are Watching
Recent UK regulatory developments are making deepfake risk a board-level disclosure and accountability issue, not just an IT problem
Read moreDetailsSecurity starts at the management plane
This is where many organizations — even large enterprises with more mature security — run into trouble. While important, IAM is often an issue relegated to IT teams, which are already tasked with a multitude of other important roles and responsibilities to keep the rest of the organization running smoothly.
The longer that misconception and misallocation lingers, the more fragmented ownership over IAM becomes. In reality, identity controls are no different than any other security need. Regulatory compliance and internal governance cannot exist if security teams don’t have a reliable accounting of who has access to what. Taking steps to frequently conduct compliance assessments and restrict or revoke access to individuals is an important first step.
In any business environment, employees, vendors and partners all come and go over time. Even the most up-to-date security systems won’t matter if an attacker gets in from a former employee’s account. Even something as simple as a bad password is all it takes.
The amount of turnover that naturally exists in business presents a perfect opportunity for attackers. Successfully fending them off will take a rigorous strategy built on continuous validation.
Where do boards go from here?
All of the threats we’ve discussed exist on a huge scale and are subject to factors that are largely out of the control of any one organization. We know the stakes are high, we know where the vulnerabilities are, but how should boardrooms actually start planning for these possibilities?
Don’t overthink it, keep any model simple and focused. An overly detailed and elaborate threat model isn’t going to make taking action any clearer — but clarity will. An effective risk management strategy stays dialed into what matters and what the business impact could be.
That’s what really translates into operational impact. Strategy should be built around the answer to questions like how do we respond if a system is completely wiped out? What if a specific region goes offline? Or what if critical operations are disrupted?
Then it’s about creating an action plan with a few focused actions. This should first include strengthening identity and access controls and implementing continuous validation of those credentials to reduce unnecessary risk. Then plans must ensure operational resilience is ready to respond to an attack with adequate backup and recovery capabilities.
Ultimately, the best plans are those that don’t try to cover every eventuality. Prioritization is vital, focusing on what matters the most helps set the right foundation.
Managing risk in an uncertain geopolitical landscape
How do you win a fight where your opponent wants nothing more than to keep fighting? The business world is entering a new age of ambiguity when it comes to cyber threats. Motivations are blurring and the risk models that have long been in place to counter attacks are becoming outdated.
Whether you’re a CIO, CSO, a board member or security practitioner, there must be a complete understanding of an organization’s place in the geopolitical landscape from top to bottom. Knowing the connections that exist throughout a business and rigorously controlling the management plane have become the new foundation for understanding threats.
Geopolitical tensions are fueling new attack motives — or rather a lack of one at all. As this shift continues molding the cyber threat landscape, businesses across the board need to be prepared for whatever lies ahead.
Avani Desai is a partner and president at Schellman & Co., a niche CPA that focuses on technology and security assessments. She is also CEO and co-founder of MyCryptoAlert, a push notification and portfolio app for cryptocurrency. Avani started her career working at a Big 4 accounting firm (KPMG) for over 10 years, where she led a team and oversaw IT risk management and privacy across national service lines. 
