Not all cyber risk is created equal

As Australian organisations continue to expand their digital footprints to embrace artificial intelligence, cybersecurity teams are faced with a growing attack surface and an overwhelming number of potential threats. While many focus on threat detection and response, the key to mitigating cyber exposure lies in preventing breaches before they happen. This requires a shift from traditional security silos to a holistic and attacker-centric approach.

The primary goal of any cybersecurity strategy is to reduce risk, but not all risk is created equal. It’s not enough to simply detect and respond to threats; security teams must also understand where their cyber exposure lies in order to prioritise risks that could lead to real, impactful threats materialising. Cyber exposure refers to the potential negative consequences of a breach on an organisation, such as lost revenue, compromised data or operational disruptions. Preventing exposure before it leads to significant material impact is essential for businesses, government agencies and service providers alike.

The September 2022 Optus breach, which exposed the personal data of 9.8 million customers, highlights the danger of siloed security practices. Hackers exploited an unsecured API endpoint, bypassing existing defences to access sensitive information, including passport and driver’s licence details. This incident reveals how focusing solely on threat detection is insufficient. Instead, organisations must adopt an integrated approach to security that proactively addresses vulnerabilities, misconfigurations and risky entitlements before they become attack vectors.

When evaluating cyber exposure that directly correlates to business risk, there are three key characteristics to consider:

1. Preventable: Most breaches begin with a preventable risk, such as a misconfiguration, a vulnerability or excessive privilege. Addressing these issues early is the first line of defence.
2. Exploitable: For a risk to become a threat, it must be exploitable. This could involve existing exploit code for vulnerabilities or weak identity protections, such as a lack of multi-factor authentication.
3. Impactful: The ultimate measure of risk is the potential impact on the organisation’s mission. Risks that could lead to lost revenue, data breaches or operational downtime should be prioritised.

Armed with this understanding, organisations can move beyond traditional security approaches and achieve better business resilience by managing exposure before a breach occurs. There are five clear steps to successfully prioritise and remediate business exposure.

Step 1: Know your attack surface

With AI, cloud, IoT and remote work expanding entry points for attackers, only 62% of an organisation’s attack surface is typically known. Even one unsecured device or weak password can grant attackers initial access. To mitigate risk, organisations need complete visibility of their internal and external attack surface by unifying asset and identity data into one single inventory.

Step 2: Identify all preventable risks

Most attacks exploit preventable risks like misconfigurations or excessive privileges, but these risks are often scattered across different tools.

Organisations must centralise and standardise this data to understand total exposure, enabling teams to take action before attackers exploit vulnerabilities.

Step 3: Align with business context

Understaffed teams and alert fatigue can lead to missed threats.

To prioritise effectively, organisations should focus on assets critical to business functions, like revenue services or sensitive data. This ensures attention to the ‘crown jewels’ while deprioritising less important assets.

Step 4: Remediate true exposure

Attackers seek lateral movement paths, where a single vulnerability can lead to high-value targets.

By understanding the relationships between assets, identities and risks, security teams can prioritise and remediate the attack paths that pose the greatest threat to critical assets.

Step 5: Continuously optimise investments

Despite heavy investments, many organisations can’t answer the question “How secure are we?”. With budget and staffing constraints, it’s crucial to measure exposure across business functions, technology or compliance requirements. A holistic view of exposure enables better allocation of resources and clearer communication to stakeholders.

By following these five steps, organisations can prioritise true business exposure, aligning cybersecurity efforts with the things that matter most: protecting customer data, ensuring operational continuity and preserving revenue streams.

Image credit: iStock.com/marchmeena29