Story image

Interview: Tenable CTO on how companies should measure cyber risk

05 Feb 2019

At the recent World Economic Forum, the Global Risks Report identified nation-state cyber attacks as one of the threats to global economic prosperity.

Tenable CTO and co-founder Renaud Deraison spoke on a panel of security experts at the Cyber Future Dialogue event in Davos to develop a call to action and issue a resolution for tackling the upcoming year’s cybersecurity priorities.

Techday spoke to Deraison about how cyber risk is measured and why organisations and governments need to be prepared.

What are the global factors causing the constant increase in cybersecurity attacks?

We’re living in an increasingly connected world, where digital transformation and the proliferation of IoT systems have fundamentally changed the way we work and live.

However, this brave new world of connectivity doesn’t come without its risks.

Rising geopolitical tensions coupled with an expanding attack surface have left governments and organisations vulnerable to targeted attacks on sensitive, high-value information.

The significance of this threat was highlighted in the latest World Economic Forum Global Risk Report 2019, with cyber attacks and the breakdown of critical information both making their way into the top 10 global risks in terms of impact.

And the threat is very real.

Tenable Research recently released its Vulnerability Intelligence Report which reveals that enterprises must deal with an average of 870 unique vulnerabilities a day, with more than 100 of these considered to be critical.

What are the major upcoming cybersecurity priorities for the year ahead?

While the rollout of regulatory frameworks such as the General Data Protection Regulation and Notifiable Data Breach scheme have made organisations around the world more accountable for their security practices, there is more to be done.

Organisations this year must ensure security strategies address the emerging risks created by an increasingly connected world.

A recent report by the Ponemon Institute and Tenable found that the majority of organisations surveyed (54 per cent) don’t measure, and therefore don’t understand the business cost of cyber risk.

This is inhibiting their ability to make risk-based decisions backed by accurate and quantifiable metrics, resulting in a lack of actionable insight for the C-suite and board of directors.

In today’s digital economy, cyber risk equates to business risk.

Failure to accurately assess, manage and reduce this risk over time could have a dire impact on the global economy.

Case in point; the devastating 2017 WannaCry ransomware attack.

Global financial and economic losses are estimated to have exceeded $5 billion after the attack infected over 200,000 computers, across 150 countries and brought some of the world’s largest companies to a standstill.

How is cyber risk measured – what are its components and what are some of the common misconceptions of what it does or doesn’t entail?

To accurately measure cyber risk, security teams should adopt strategies such as Cyber Exposure, which helps organisations accurately understand and ultimately reduce risk, giving them the visibility and insight to determine where they’re exposed, what to prioritise based on risk, whether exposure is being reduced over time, and how they stack up against their peers.

This includes identifying the business operations and assets most vulnerable, including OT and IoT assets.

Where many companies fall short is relying on traditional KPIs for evaluating business risks, such as quarterly scans and/or targeting critical systems alone.

These are insufficient for understanding cyber risk, as they fail to factor in the business cost, lack strategic direction and don’t offer insight as to how businesses prioritise risk.

What are the threats that nation-states and enterprises need to be more aware of – are there any region-specific ones and why?

One of the biggest threats facing organisations is the exploitation of poor cyber hygiene.

Cybercriminals would prefer to take advantage of the low-hanging fruit in a network rather than find and exploit a 0-day vulnerability.

The vast majority of breaches are the result of known, but unpatched vulnerabilities or poor identity management practices.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.