The Cyber Threats from “Unknown Assets”

When Donald Rumsfeld spoke about “known knowns”, “known unknowns” and “unknown unknowns” he was widely mocked.

The comments by the then defence secretary for George W Bush, about evidence linking the Iraq government with the supply of weapons of mass destruction to terrorist groups, baffled many. But despite the convoluted syntax, the gist of what Rumsfeld was saying (that there are things we know we don’t know, and things we have no idea even exist) is a theory for assessing threats widely used in military intelligence and business.

It’s also often used in cybersecurity, which is now classed as one of the world’s top risks according to the World Economic Forum.

In fact, the cybersecurity risk has become so serious that the theft of information around the world has become more common than the theft of physical assets, according to global research published in January.

86% of companies surveyed by Kroll said that they had at least one cyber incident in 2017.

Cybersecurity risks are multiplying, and becoming increasingly devious and sophisticated (whether it’s malware, computer viruses, phishing or organised criminal gangs using social engineering).

The WannaCry cyber-attack last year (malware that affected hundreds of thousands of computers around the world, and caused serious disruption to the UK’s National Health Service and large companies including FedEx), was one the most destructive of its kind yet.

Shadow IT: forgotten systems

It’s hard to keep up with all cybersecurity threats, but your business can be better prepared for them if you have an accurate and up-to-date view of all your IT systems. After all, how can you protect what you can’t see?

Keeping sight of your IT network (including servers, databases, operating systems, apps, and cloud-based systems) can be hard. Like a household that accumulates stuff over decades of house moves, birthdays and purchases, businesses accumulate IT through mergers and acquisitions, software licensing deals and outsourcing.

Large, global companies will have hundreds, or even thousands, of IT systems — in different countries and continents.

Some ‘legacy’ systems can be up to forty years old. Their age can make them hard to update and keep secure − for example, by applying security patches.

Internet of Things

New technology creates different cybersecurity challenges. Take the Internet of Things (IoT): devices ranging from fridges and televisions to industrial sensors are now connected to the Internet and have the ability to communicate with each other. There are more than 23 billion IoT devices in the world, according to one estimate by Statistics.com. By 2025, there will be about 75 billion, the site estimates.

The sheer number of these devices can make them hard to monitor for cyber threats and business managers are worried about the possibility of cyber-attacks on IoT devices, according to global research by the Ponemon Institute.

The research, done in partnership with Shared Assessments (an industry-standard body for third-party risk assurance), found that 97% of respondents in public and private-sector organisations said that it was likely that a data breach or cyber-attack related to unsecured IoT devices could be catastrophic for the organisation.

81% said that a data breach caused by an unsecured IoT device was likely to occur in the next two years.

Despite these worries, only 29% of about 600 respondents said their organisations

actively monitored the security risks of IoT devices used by third parties. The rapid growth in smartphones in the last decade has also created new challenges for corporate IT security.

In effect, employees now have a computer in their pocket, a computer which can act as a way in to a company’s IT network.

Securing supply chains

It can be hard to control and secure devices that employees connect to your network, but at least employees are directly accountable to you and easy to contact. The same cannot be said for large and sprawling supply chains, which some IT security experts reckon are the biggest IT security risk for businesses.

As the Information Security Forum (an independent, not-for-profit organisation) has noted, valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.

If your business relies on third parties (such as outsourced or cloud-based technology services), you’re still accountable for protecting the security of those services.

The UK government’s National Cyber Security Centre has published guidance on supply-chain IT security, including the main risks and suggestions for mitigating them. For example, if a supplier is key to your supply chain security, require them to give you regular reports about their IT security, and confirmation that they comply with your risk-management policies. Include a ‘right to audit’ a supplier’s IT security in the contract, although this may not be possible for a cloud-based IT service.

(We can help your business comply with the UK’s National Cyber Security Programme with our Cyber Essentials assessment)

Cybersecurity threats are constantly evolving but some principles of information security are timeless.

Our Estate Discovery service has been designed to identify an organisation’s Internet-facing assets, by (ethically, and with your permission), using techniques available to attackers.

Our proprietary technology can create a full asset register for you, comprising all the systems, domain names and IP addresses that make up your estate.

Once you have a comprehensive map of your IT estate, our security experts will help you think strategically about securing it. Helping you focus your budget effectively and implement improvements tailored to the specific needs of your organisation.