What is the difference between cyber risk management and cyber resilience?

Cyber Security Hub speaks to Sourabh Haldar, threat policy implementation lead of information and cyber security at Standard Chartered Bank about the importance of cyber resilience in the face of emerging threats.

Cyber Security Hub: What do you think will be the biggest threat vector and/or threat target in 2023?

Sourabh Haldar: From a sector-wide perspective, phishing and social engineering-based attacks are definitely a concern. Phishing is the easiest way for malicious actors to gain a primary entry point for cyber attacks.  

I come from the banking and finance sector and we receive hundreds, if not thousands, of phishing attempts on our perimeter and towards our employees, daily. The financial sector is not the only industry facing this problem, as 75 percent of cyber security professionals say phishing attacks are the most dangerous threat to their security.  

Then, of course, there are emerging threats coming from the fact that there are an increasing number of devices getting online capabilities. This gives rise to a unique attack surface for malicious actors. 

Previously, the primary targets for attackers were endpoints that connected to the internet, like computers and mobile devices. Nowadays, the Internet of Things (IoT) has opened the attack surface. With the introduction of smart devices, something as simple as a light bulb can be connected to a network. The potential ramifications of this are vast.

For example, someone claimed that he was able to hack into and control the functions of around 20 Tesla smart cars. The fact that we are using smart devices and even have smart homes exposes people to a new form of threat. From an industry point of view, however I do not think that smart devices as an attack target are a big concern for the banks, as we do not really use a lot of IoT. This being said, mobile devices and other endpoints can become exposed to threats through employees, as well as third-party partners, so it is something to keep an eye on.  

Finally, one more emerging trend that I believe will grow as a threat target is digital assets. Digital assets are things that have a uniquely identified digital presence and perceived value, such as cryptocurrency. The way these assets are held, for example through smart contracts, or via digital wallets, are also considered digital assets.  

Digital assets currently utilize distributed ledger technology on a decentralized network, which has introduced a new form of vulnerabilities. As an outcome, we are actually seeing a lot of research papers warning us about this as a growing risk. In fact, more than US$3.8bn worth of cryptocurrency was stolen through cyber attacks last year.

“Cyber risk management is about trying to minimize the likelihood of successful attack, and cyber resilience is about minimizing the likelihood of an impact from an incident”

CSH: Continuing the focus on digital assets, what can those within the cybersecurity space do to mitigate threats against digital assets?

SH: A lot of people are jumping on the bandwagon of digital asset creation and trading. This means there are a number of smaller organizations that are likely not mature enough to prevent cyber attacks handling digital assets which are often a target for hackers. 

Larger organizations, for example commercial banks like HSBC, are much more prepared to deal with threats. This is because they can leverage their existing means of cyber risk management while evolving their security and threat defense strategies to face emerging threats. They are also able to utilize tools like automation and artificial intelligence that may not be available to smaller organizations.

This being said, while these companies are building the backbone of their threat response capabilities, they still have to apply common risk management principles to ascertain and understand what kind of capabilities their adversaries process to help them decide what kind of controls to put in place.

From an overall approach point of view, the security strategy employed by both smaller and larger businesses will be the same. From a capability point of view, however, large businesses are in a better place to apply new techniques and put new controls in place. Additionally, larger businesses are better able to invest in both front-end and back-end capabilities simultaneously, while smaller businesses may have to choose only one to invest in. As smaller businesses will be looking to enhance the experience for customers using their platform, they may neglect their security capabilities to do so, leaving them open to attack. 

Another point that is certainly worth highlighting is that bigger organizations will also have better insurance against cyber attacks. Therefore, their cyber resilience is increased. If their network is brought down completely during an attack, they are more likely to be able recover than a company that does not have protections against this in place. This is true from both a business and financial perspective.  

CSH: What is the difference between cyber risk management and cyber resilience, and why are they both important in threat intelligence?

SH: In layman terms, I would say that cyber resilience bridges the gap between cyber security risk management and operational resilience.

Traditional operational resilience is all about disaster recovery and business continuity planning, for example making sure a company can bring service back into operation if the network goes down. Whereas cyber risk management is all about establishing security infrastructure in place, ensuring your most important assets are protected against the most common threats. In short, cyber risk management is about trying to minimize the likelihood of successful attack, while cyber resilience is about minimizing the likelihood of an impact from an incident.

In broader terms, cyber resilience is about anticipating what will happen if an attack occurs. It is all about asking the right questions: How will you withstand this specific threat vector? How will you recover from the attack? Using this, cyber security professionals can then evaluate the recovery and response mechanisms they have in place and develop them as needed. Cyber resilience looks at minimizing the extent and duration of cyber attacks and the impact they have on the business and its services as much as possible.  

Cyber resilience considers all the possible impacts of threats and how to combat them. As an example, when looking to develop a cyber resilient security strategy, a cyber security professional may consider what would happen if a very advanced persistent threat actor breached their company’s perimeter and remained in its network for six months. They will consider how they would cope with the discovery of such a breach, including minimizing the confidential and sensitive data a malicious actor could gain access to once in their network. By doing so, they can attempt to minimize the likelihood of a data breach. 

Overall, cyber resilience is largely about detection and response, while cyber security risk management is more about how companies define themselves. By using these definitions, cyber security professionals can identify the threat vectors that are likely to be used to target their company and guard against them, giving their company the maximum amount of protection possible.

Learn more from Sourabh Haldar by registering for his session, Mitigating threat actors and becoming cyber resilient by understanding the ‘what, why, how’ of cyber attacks, at CS Hub Live: Threat Intelligence APAC

You May Also Like

  • Blizzard Entertainment hit by DDoS attack

  • IOTW: A full timeline of the MOVEit cyber attack

  • PwC and EY impacted by MOVEit cyber attack

  • BlackCat threatens to leak 80GB of Reddit data