Assessing Your Cyber Risk Impact: Intent vs. Opportunity

Cybersecurity is no longer just a concern for large corporations and government entities. One of the largest attack surfaces today is healthcare where facilities rely on ease of access and fast sharing of data to facilitate immediate and effective care.

Breaches in healthcare are occurring more frequently than ever before. According to HIPAA Journal, an estimated 494 data breaches of more than 500 records were reported to the HHS’ Office for Civil Rights in 2019. Additionally, more than 41 million records were stolen, and/or disclosed without permission last year. As of November 2019, the healthcare industry accounted for four out of five data breaches, with predictions that 2020 could be a record-breaking year. The financial impact also hurts the healthcare industry, with costs from those breaches estimated to reach approximately $4 billion in 2020.

Given these escalating stats, there is no such thing as out of bounds businesses in the cyber threat world. The only real question is whether your organization is a target of opportunity or intent. A target of intent is one that an attacker is seeking to cause notable impact, while a target of opportunity is one that an attacker is simply exploiting in order to get to their real target.

Attackers, especially those driven by geopolitical motives, are looking for disruptive impact and notoriety. While healthcare is an obvious target of intent for attackers looking to cause tangible impact, they typically will not attack these entities directly due to the higher risk of detection. This is where the targets of opportunity come into play.

An attacker looks for existing trusted connections with their end targets. For example, an experienced thief may not attempt to rob a bank directly through the front doors, but rather looks to see if there is a way in through a trusted connection such as a connected building that shares a ceiling or some other form of less visible entry. In the digital world, this means observing who their end targets are connected to and how those connections are implemented, monitored and leveraged.

Companies rely heavily on digital connections with their vendors, partners, service providers and customers. These connections present potential risks on all sides. A supplier who has a connection to a medical facility for billing may serve as an optimal target of opportunity for an attacker to gain access to the facility’s patient information, details of upcoming procedures and scheduling, supply orders and even physical power and/or HVAC capabilities.

Small to medium-sized businesses are frequently targeted by phishing attacks. The attacker’s intent is to set up a presence on their network to gain access to larger businesses with whom they may have connections. Alternatively, larger entities need to assess not only how they connect with these other businesses but also how their network is designed to prevent these attacks from moving forward should a partner connection be compromised. This means taking a holistic approach to reviewing their network visibility, how it’s constructed, segmented and used. Simply purchasing a new security tool will not improve your security risk posture if you have abundant faults in your IT implementation and utilization.

To assess your risk and impact, here are some questions your organization should consider:

  • Is your network segmented properly?
  • Do you have the right controls in place to limit permissions?
  • Are you able to detect and respond to attacks?
  • Can you enforce the policies you have written and do those policies make sense?
  • Have you built the right security culture within your company to prevent the exploitation of your people?
  • What do you have that would be of value to an attacker?
  • Do you know what activity is normal for your network?

These are just some of the questions that must be asked when assessing your risk and impact. If you are not pursuing answers to these questions, then you are exposing your business and those you do business with to unnecessary risk. To mitigate risk, every organization should be breaking down silos and self-centric thinking and considering the world outside your business to determine what impact we have on each other.

Author: Joshua Maberry | Director of Customer Success, CRITICALSTART

Featured in TechNation | April 30, 2020

Newsletter Signup

Stay up-to-date on the latest resources and news from CRITICALSTART.
Join us at RSA Conference - booth #449 South!
This is default text for notification bar