How to Quantify Cyber Threats as a CISO in 2020

How to Quantify Cyber Threats as a CISO in 2020

The recently released Internet Organised Crime Threat Assessment (IOCTA) for 2019 by Europol shows that the threat landscape has matured, and key threats have grown in persistence and tenacity. 

The report confirms that destructive ransomware threat remains high. Phishing, spear-phishing, and vulnerable remote desktop protocols have been identified as the primary infection vectors. 

Such a threat landscape requires continuous efforts in the identification of main cyber threats to the organization and how much damage they can do. 

CISOs need to be prepared for 2020 and coordinate their security efforts with the board and their company goals. 

Communicating cyber threats in the board’s language—exact figures and business impact—requires a way to quantify these threats. 

To quantify these cyber threats, CISOs require greater access to the organization’s key financial data and other indicators.   

#1 Identifying the biggest threats and their financial impact on the company 

Identification of the largest cyber threats seems to be the biggest hurdle in presenting cyber risk and exposure, mainly due to the fragmentation of digital solutions in organizations.

According to Deloitte’s Future of Cyber Survey, 41% of CISOs state that Shadow IT presents the most challenging aspect of cybersecurity management in the organization, followed closely by  37% of CISO stating cyber transformation presents a large challenge.

Shadow IT makes it challenging to quantify cyber risk, as there is no overview of all systems. This makes it next to impossible to get a good snapshot of organizational cyber maturity or security posture. 

When the departments integrate digital solutions on their own, there is no alignment of IT with critical business goals. 

How does it relate to quantifying cyber threats? 

The board requires a good overview of the maximum potential threat so they can make the right risk assessments. Getting ShadowIT under control is the primary objective to be able to deliver such assessments. 

Simply saying the largest cyber risk (such as data leakage or breach) will cost the company millions, destroy it, or have far-reaching consequences is not enough anymore. 

How much would the cyber incident cost if left as is? 

How much would your solution cost? 

How much exposure would remain after implementing the solution? 

Would your solution be a sound decision, from a financial standpoint?

Speak in actual numbers that affect the company, not industry averages.

 

#2 Getting access to the company turnover figures

Back in the day, CTOs and sysadmins, as they were called in smaller companies, had nothing to do with turnover figures or any type of financial statements outside of the realm of IT. Times have changed, and nowadays, cybersecurity is an integral part of every company. 

With digital systems running in every department, the CISO requires a full overview of each of them to devise a data and information security strategy that will minimise risk and make the organisation more resilient to threats. 

How does it relate to quantifying cyber threats? 

Nowadays, CISOs must have access to company turnover figures in order to be able to quantify risk in terms that the board will understand. If the board wants to talk about cyber threat risk figures, you must show them how cyber threats will affect the organisation’s turnover. 

The profit/loss reports would give better insight, but these are impossible to get if you’re not in a directorial position. Instead, focus on getting company turnover numbers to build your case.

 

#3 Presenting the impact of technology issues on employees 

To get a clearer picture of how a cybersecurity incident will affect employees, it’s best to separate users as high, medium, and low impact. 

Technology issues won’t affect all users in the company in the same manner. 

Some will experience only mild inconveniences but be able to continue working. 

Some won’t be affected at all.

Some, however, won’t be able to do a single thing until the issue is resolved. 

How does this relate to quantifying cyber threats? 

Quantifying the impact of cyber risk depends heavily on how your operations will take a blow. When you have a clear picture of how dependent your users are on technology, you will be able to calculate the impact. 

If users can’t do their job at all—high impact users—it means their operations are standing still, which makes the risk and its cost greater. 

If users aren’t that affected, the cost will be lower too.

 

#4 Presenting the financial impact of “downtime” on the company’s salaries 

The amount of high, medium, and low impact users determines more than just the extent of the impact. It also shows how much downtime will cost in terms of salaries—how much it will cost the organization that these employees won’t be able to work. 

How does this relate to quantifying cyber threats? 

Even if employees can’t work because of the security incident that needs to be resolved, they will still get their salary for the day. How much will this add to the total cost of the security incident? 

You don’t need exact figures for every possible employee you hire, of course, but having an idea of salary averages will help you determine this cost. 

To get some idea on salary figures, ask the CFO or somebody in the financial department. You might even want to use external resources that can give you averages, such as Glassdoor.

 

#5 Determining the financial impact of “downtime” on the company’s sales 

Most of the time, cybersecurity incidents have the greatest impact on company sales, since the sales processes are heavily dependent on technology. Your e-commerce stores won’t bring you any sales if the servers are under attack or if payment processing is down. 

How does this relate to quantifying cyber threats? 

While sales aren’t your responsibility, the impact of cyber threats on sales falls within your role. CISOs have the responsibility to communicate the impact of cyber threats on sales and present the costs of worst-case scenarios. 

How many turnover days will the company lose in case of threat X? 

Within each turnover days, what percentage of sales will go down the drain? 

What is the chance of losing market positioning in case of threat X?

To provide relevant numbers, you must include the Sales team, and any other team related to sales to give you the required information on how market positioning and sales will be affected in worst-case scenarios.

 

What is the financial impact of IT regulations? 

Information and data are top targets of cyberattacks, and all companies are under strict regulations on how to protect it, no matter what industry you are in. 

Take GDPR as an example—the data protection act lists extremely high fines for companies that do not take necessary measures when it comes to personally identifiable information (PII). 

How does this relate to quantifying cyber threats? 

CISOs must quantify the impact of all regulations pertaining to the company in case of worst-case scenarios. The GDPR, for example, has extremely high fines. Depending on which is greater, the company might face fines of 20 million euros or 4% of its annual revenue in case of a data breach and must be included into the potential financial impact of cyber threats. 

Most companies won’t stand a chance of recovery from such high fines.

 

What is the efficiency of my solutions against the biggest cyber threats? 

After presenting cyber threats that are most likely to affect the company, CISOs must also present the solution. To sell the solution, you must quantify them too—their immediate and annual costs, in comparison to the costs of the threat they are solving. 

In addition, there is also the efficiency factor of the solution—how much of the risk will it mitigate, and how much exposure would remain? 

The efficiency of the solution depends on the threat type and environment. Is it prem? Is it in the cloud? 

There are very few scenarios where a cyber solution will have 100% efficiency so decision-makers need to see the exposure left and weigh up the risk factor themselves. 

How does this relate to quantifying cyber threats? 

The reason why CISOs must quantify cyber threats is to put the costs in perspective when compared to the costs of efficient solutions. 

Solution efficiency and cost help them justify investments that will improve the company’s resilience and overall security posture. 

It is likely that CISOs will have more than one solution to mitigating the biggest threats, with each of them having different efficiency depending on the environment. 

Showing the summed up costs of solutions versus the cost of a security incident without solutions will help the board understand just how much a security incident can set the company back.

 

Conclusion: 

For 2020, CISOs must answer critical business questions clearly and speak in exact figures. They must quantify cyber threats and present solutions in terms of how they help maintain critical business strategy and operations. 

With Boardish – boardish.io – CISOs will have access to a tool that helps them quantify cyber threats quickly, without having to deploy anything on-premise or grant access to their systems. 

CISOs must work together with all departments and get all relevant information to present real threats in real numbers. 

Boardish can help them create a snapshot of their company and help them run scenarios of different threats and their financial and market impact. 

Let 2020 be the year of real numbers!

Quantify Cyber Threats & Solutions

And get your IT budget approved quicker!

How to Quantify The ACTUAL Cyber Solution Cost For Your IT & Cyber Budget

How to Quantify The ACTUAL Cyber Solution Cost For Your IT & Cyber Budget

In many cases, the pricing of cyber security solutions is not clear in the budget, or even worse, it is not an accurate representation of the real cost to the business! Which usually makes your C-Suite (particularly the CFO) extremely unhappy.

But it is our job as cyber security professionals to get to the most precise overall yearly cost of each solution.

We must quantify in order to get approval.

In this article, I am going to use the Microsoft E5 package as an example. It’s

  1. $35 per user monthly
  2. $420 Annually per user
  3. And for our example, we will assume the company has 1000 users.

Therefore the Annual cost of Microsoft E5 for 1000 users is: $420,000

But can you really say to your C-Suite that the Microsoft E5 Solution will cost the company only $420,000?

No ! it is not the “REAL” price.

So, what is missing and how do we get to the real/full price?

What is most commonly forgotten is the ‘people power’ for implementing these solutions. So, you need to quantify the hourly rates for both internal employees and external consultants:

  1. Cyber Security Expert (CISO or Equivalent) – mostly for the solution design and architecture.
  2. IT Management Expert – for the IT system design requirements
  3. 3rd Level IT Expert – For Implementation and High-Level Support
  4. 2nd Level IT Expert – Support
  5. 1st Level IT Expert – Support

* Screenshot from the BOARDISH application

With the rates set you’ll need to look at:

  1. How Many Hours annually are required to Design the solution architecture?
  2. How Many Hours annually are required to Deploy the Solution?
  3. How Many hours annually are required to Support the solution in the POC and POV stages?
  4. How Many hours annually are required to Support the solution after moving to production( Day To Day )?

* Screenshot from the BOARDISH application

After you have qualified the initial design cost and ongoing maintenance cost, then, only then you will start to see the real cost of the solution.

Also, it’s important to remember that the amount of “Expert time” depends very much on the ability of your IT & Cyber team and how quickly they can learn. In many cases, the learning time of a new tool can surpass the amount of time to implement it, which can make it even more expensive.

Once you have the solution cost – we highly recommend showing it as part of your Cyber Security ROI (Return on investment), based on our experience it increased the chances of getting your solution cost approved by the C-Suitee by 71%!

In this article below we show you exactly how to do that!

How to show ROI for Cyber Security

Eli Migdal – Co-Founder of Boardish.

Quantify TRUE Solution Costs

Explain why/how your solutions work, to a non-techy audience. 

What You Need For Career Progression From ‘just’​ a tech person to Technological Management (CISO, CIO, CTO etc.)

What You Need For Career Progression From 'just'​ a tech person to Technological Management (CISO, CIO, CTO etc.)

As someone who was a “techy” for many years, aka “Installed & and Managed Server 2003 with Exchange 2003 (before SP1)” in my early days as a system administrator. So, I know how tricky the transition from ‘tech’ to ‘management’ is.

In Essence, the transition is taking all of your Technical knowledge and using it to implement smarter business decisions based on technical knowledge and not technical decisions based on technical knowledge.

Basically…

Installing and managing “Decisions and Methodology” rather than software and hardware.

When you initially start as a Helpdesk person, Networking Person, or System Administrator etc. your entire focus and terminology are technological. You need to think in “technological” language and provide technological solutions to technological problems.

But, when you climb up the ladder you get more opportunities and responsibilities to interact and ‘troubleshoot’ at an operational level.

This is where many professionals get stuck and struggle to progress in their careers because they don’t adapt their methodology and terminology into ‘business speak.’ They revert to “Technical Solutions for Technical problems”

But I wanted to share 3 ways you can get started transitioning from tech to management that I found useful in career progression.

#1 Research your business (and understand it)

In the same way, you would treat technical learning and research when you’re troubleshooting. Talk with your colleagues, and make sure you know the business you are working in/with:

  • What does the business do?
  • What is the vision of the business?
  • Who is the target audience?
  • What is the USP ( Unique Selling proposition) of the Business – how to do this business differentiate itself?
  • Who are the competitors?
  • What are the biggest challenges the business is facing?
  • What role does technology play in the business function?
  • What technological risks are the biggest right now?
  • How does the business get impacted by these risks?

In Boardish, for example, we also encourage you to look at how many users are impacted by technology and to what degree. We classify them in ‘high, medium, and low’ impact users. Which means the number of employees that will lose significant working capabilities when technology is unavailable ( high reliance on Technology )boardish employees information table

Knowing all of these things is the first step to making meaningful inputs and decisions at management levels and beyond. Particularly if you’re aiming for the CISO position.

#2 – Familiarize yourself with business & risk terminology:

You need to see how technology relates to the business as a function in the macro, rather than the fixes in the ‘micro’ and this means learning and understanding many terms. Particularly if you’re interacting with other departments or decision-makers.

This means stepping outside of the technical and understanding things like:

  • Annual company turnover = The total sales made by a business in a certain period. It’s sometimes referred to as ‘gross revenue’ or ‘income’. This is different from profit, which is a measure of earnings. It’s an important measure of your business’s performance.
  • Market positioning = The competitive advantage of an organization and the ability for your business to influence its customers. Sometimes this is discussed as ‘brand positioning.’

As well as risk terminology (these are taken from our Boardish ecosystem) including:

  1. Market Loss – The number of sales lost as a result of a threat or combination of threats to the organization. 
  2. Sales Loss – The number of sales lost as a result of a threat or combination of threats to the organization. 
  3. Salary Loss – The amount of financial impact on salaries as a result of a threat or combination of threats to the organization
  4. Regulation Loss – The financial impact to the organization in the event of being hit by regulation fines as a result of a threat or combination of threats to the organization. 

#3 – Start evaluating how effective your tech solutions are against threats

You will already know technological risks and threats to the company, e.g. ransomware etc. and you already know your preferred way of protecting against them.

But now it’s time to quantify them for the business.

How effective are your solutions (or combination of solutions) at protecting against these threats? And how much money can you save the business by deploying certain solutions?

Translating tech to business is a key milestone in your career progression that is going to help you get from techy to manager and be more heavily involved at the decision-making level.

Get started by running simulations on Boardish. When you set the TPF (Threat Protection Factor) this is where you find how efficient the solutions are against the threats in financial numbers! Boardish Basic is completely free for you to test and experiment yourself as you get to grips with the new terminology and knowledge and make the steps towards speaking the language of the business.immobility TPF

Sign up to Boardish here: https://app.boardish.io/login

Learn more about Boardish: https://www.boardish.io/

Eli Migdal – Co-Founder of Boardish.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

What To Do When Your IT & Cyber Risk Assessment Priorities Don’t Align With Another Department (A Case Study)​

What To Do When Your IT & Cyber Risk Assessment Priorities Don't Align With Another Department (A Case Study)

Doing a Risk Assessment process is one the critical things that we as Cyber Security professionals, need to do in order to gain much-needed visibility into the business.

The initial purpose is usually to map the biggest threats IT & Cyber in the company and build a plan on how to mitigate them.

But what do you do when the Risk Assessment does not align with another department?

Sometimes IT & Cyber’s highest priority can be lower than the priority of another department.

(Something that we don’t always want to hear as cyber professionals!)

I want to share an experience from our BOARDISH ecosystem in which a CISO and a Risk Consultant found themselves in exactly this scenario and were able to resolve it quickly and effectively:

Background Info:

  • Large scale, international eyewear manufacturer.
  • More than 50% of the sales are done online via Ecommerce sites
  • Large database of globally located customer information which includes:
  • Relatively high (when compared to other competitors ) Cost of Customer Acquisition (CAC)
  • The company did NOT have any large scale Data Breaches
  • The company DID have several website downtime incidents

The Challenge – Part 1 :

The CISO and the Risk Consultant have arrived at the conclusion that a Data Breach is the highest-ranking Risk for the company,

The logic for the decision following a NIST based (a more adjusted for European market version) Risk Assessment was:

  • The large database of customers which includes European customers therefore highly impacted by GDPR.
  • High customer acquisition cost (CAC) which makes the customer database very lucrative for competitors.
  • Lack of high-quality cybersecurity tools/infrastructure, specifically a lack of encryption for unstructured information.

The Challange – Part 2:

When presenting the Risk Assessment to the CSuite (the meeting was lead by the CFO and COO) and requesting budget for the mitigation process a hard pushback came from the Marketing & Sales Department regarding the CISO’s Risk Assessment.

Head of Marketing & Sales said very clearly that they dont agree with the CISOs Risk Assestment the “The website suffering from downtime should be the highest priority for IT & Cyber to fix”

The Head of Marketing & Sales were pushing hard that any new budgets should be allocated to increasing the strength of the website, making it more robust to reduce the risk of “downtime” because of the key role it plays in acquiring customers which has a direct impact on sales.

Both CISO and Head of Marketing & Sales used “Risk Scores”, “Risk Priorities” , “Risk Matrix” – everything was discussed in “Risk Language”, each advocating for their own “side”.

The Challange – Part 3 (From the perspective of the Board / CSuite) :

Imagine yourself being in the decision-maker’s shoes:

  • You have your CISO and Risk Consultant advocating for budget allocation for “Data Breach”, being the highest risk and budget should go for protection tools against that threat.
  • You Have your Head of Marketing & Sales advocating that the website being down is the highest risk and all the budget should go to making the site more robust
But Risk Scores, Risk Priorities, and Risk Matrix are all subjective! When you measure the risk of a website downtime to marketing it’s a high risk to their function, but is it high to the company? Does a high risk of data breach really impact the company in the industry they operate in and is that impact higher than the website being down?

These are all questions that couldn’t be answered with the data given, so the CFO requested a more detailed report from both parties because making an educated, smart decision in that phase was near impossible.

So, what does this look like?

The Solution:

The CISO understood that it isn’t the smart move to start “arguing” with the Head of Marketing & Sales and the smart and professional move is to sit down with him and understand his entire Risk Assessment process.

The CISO saw that from Marketing & Sales perspective the website being down is the “worst-case scenario” but also saw that Marketing & Sales were not really aware of MOST of the risk that the CISO is responsible for.

It was clear that the Risk Assessment results required a Common Denominator, Both decided to Translate their Risk assestment into financial figures. Translating the risk into money.

In order for Both Sides to understand which Risk is really the most dangerous for the business they needed to translate Risk into Financial figures ( Risk into Money ). A common denominator that wasn’t subjective.

They used the BOARDISH Methodology to quantify the main threats:

  • Data Breach
  • Website downtime

For Each threat, they inputted together, with full transparency the following information:

  • What is the “Chance of losing the market position” from the specific threat – including reputational loss, branding etc?
  • How many Turnover days will be lost from each threat?
  • How many Workdays will be lost from each threat?
  • What is the regulation impact, financially from each threat?

All the information was fed into the Boardish system with the company information ( like Turnover, number of employees etc.) and the results were crystal clear:

Data Breach had 2.5X the financial impact compared to Website Downtime on the business
  • The main reasons for the high figure were Market Loss and Regulations while “Downtime” only impacted specific Sales, limited branding and reputation and a slight temporary increase in CAC.

The process was done TOGETHER with the Head of Marketing & Sales which later on admitted that he was just not aware of all the risk factors that CISOs are responsible for. As well as the financial impact on the organization.

A Joint Meeting with the CFO and COO was done in which the Boardish information was shown, including “how did we get to those numbers exactly” (they shared the Boardish Wizard).

The Outcome:

The IT & Cyber Budget was approved.

The CFO and COO have requested all the departments to start to quantify Risk when they are requesting Budgets going forward because it’s ‘easier to make a decision.’

The CISO is now working more closely with the remaining departments and have much better visibility into the challenges and furthermore have more solutions to offer the entire company.

To sum up:

Take your Risk Assessment > Quantify the Risk into Money > Achieve a Common Denominator with other departments so you can speak with all your colleagues in the same language > Present to your Board > get a decision.

Remember, you don’t have to work against other departments as a cyber professional! Boardish allows you to quantify your risks so you can clearly see the business importance and let decision-makers make a decision.

If you want to try Boardish for yourself, sign up is completely free here: https://boardish.io/

Eli Migdal – Co Founder of Boardish

Quantify Your Department's Risk

Find The Common Denominator…

Boardish Partners with 360inControl®️

Boardish Partners with 360inControl®️

Boardish Partners with 360inControl®️

Boardish, a cyber risk quantification tool, and 360inControl®️, a new generation of internal control system (ICS), have announced the start of their partnership that will help provide a full risk management and control solution for CISOs around the globe. 

Bringing Together Risk Discovery and Risk Quantification

360inControl®️ helps companies create a detailed inventory of all information they have, classify it accordingly, and assess the current risk levels. Boardish, on the other hand, transforms this information into financial figures that help CISOs communicate risk and solutions effectively with the board and decision-makers.

Andreas von Grebmer, co-founder of 360inControl®️, Information Security & Risk Advisor, and CISO explains that the partnership is a step in the right direction: 

“It’s logical for 360inControl®️ and Boardish to work together, since our services complement each other rather than compete against one another. While 360inControl®️ offers risk assessment through master data management and defining values for likelihood and impact of various risks, Boardish complements this beautifully by putting actual figures on all threats and risk levels.”

Eli Migdal, co-founder of Boardish, greeted the business partnership: 

“Boardish has been particularly selective about who we work with, and so this just shows the calibre of 360inControl®️ and their product. They have a truly wholesome solution that detects and keeps track of all types of data the company works with, which makes risk assessment and quantification much easier.”

Bringing CISOs a Full Risk Management Solution

The most important point here is that the Boardish and 360inControl®️ will have no integration between each other currently, but will still be able to provide a full service to any CISO who needs a clearer picture of the cybersecurity landscape. 

The partnership between Boardish and 360inControl®️ encompasses the whole journey: from risk awareness and risk discovery, to clear communication with the board and fast-tracking their approval.

Full-service Partnership Is the Next Step 

The business partnership is just the start, with Andreas and Eli confirming they will likely become service partners as well. By becoming service partners, they would share resources, enabling them to get a better overview of cybersecurity and improve their tools even more. In addition, they would also release joint case studies for existing customers, helping CISOs get a good picture of just how much faster they could implement solutions by using these tools.

Ultimately ushering in a new age of vulnerability assessment and remediation process that is complete for CISOs.

Learn more about Boardish here

Learn more about 360inControl®️ here.

Get your complete risk assessment to remediation toolset

With Boardish & 360inControl®️

Updating Your DR/BCP with Quantifiable Figures For Covid-19 (For FREE With Boardish)

Updating Your DR/BCP with Quantifiable Figures For Covid-19 (For FREE With Boardish)

*Written by co-founder Eli Migdal, and first appeared on his personal Linkedin here

Covid-19 is forcing many companies to re-evaluate their Disaster Recovery (DR) and Business Continuity Plans (BCP).

Previously DR and BCP were mostly focused around natural disasters like earthquakes, floods, and in some cases like my home country of Israel, rocket fires or a state of war.

Until now, the solution for most disaster recovery scenarios was a ‘remote site’ which size was usually dependent by the size and requirements of the company.

I have personally designed and had the unique experience of testing real-life BCP plans that provided a solution for “Rocket Fire/State of War” which required the critical people of the organization to fully work from a remote site and in one scenario even focus the core of business to another country!

But, with Covid-19 it is different, it has several new vectors that need to be updated in your DR / BCP!

  1. Social Distancing – The instruction not to gather groups of people in one location means that “remote sites” is not a viable solution. Regardless of the site location, you can’t go to work.
  2. Global Impact – Most DR scenarios are focused around a region or, worst case, a country. But in this case, the impact is global so not only will shifting your key person to another country not work, but you may also have to adjust your operations across multiple countries at once.
  3. Lack of Preparation – Working from home became one of the only solutions but it also brought up several challenges. Things like poor security, home grade networking equipment not “cutting it”, home grade bandwidth not being sufficient.

So these new risk factors/vectors need to be included in our Disaster Recovery, and Business Continuity Plans. We need to quantify them so we can actually make a decision based on the financial impact they will cause.

Using the free version of Boardish (boardish.io) you are able to quantify the exact metric for each threat, and the impact of that on your business.

For example, using the “Main site is not accessible” threat. What are the questions you should ask yourself when quantifying?

  1. What is the chance of losing market positioning?
  2. How many turnover days will you lose? (and what percentage of the productivity is lost. For example, will you lose 100% turnover or will you have some operations at 60% for example).
  3. And how many workdays are lost for each type of employee? That will depend on those who are highly impacted by technology or not*.

*An important note: a threat like “main site not being accessible” has a very unique characterization to it. The “Low impact users” ( those who are less reliant on technology ) will be affected in higher quantities. For example, your high impact users (high technological reliance) will have a laptop or VPN so the threat impact is ‘low’ but your ‘low impact user’ (low technological reliance) will be impacted more because there is no technological solution for them so they will lose more workdays.

(This is the exact opposite from quantifying the Ransomware threat because the users who are heavily reliant on technology will be impacted the most)

Then select your Solutions, for example below:

Set the efficiency of the solution against the threat, for example below:

Define how many human resources do you need for each Solution:

Define the regulation impact ( usually very low or none in this scenario ) and get your dashboard. Using this info will make it very EASY to quantify your DR / BCP plan and get it approved quickly by decision-makers.

Try Boardish for free here: https://boardish.io/

Best,

Eli Migdal – the Founder of Boardish.

Update your disaster recovery for covid-19

As well as your business continuity plan with actionable financial figures

IT & Cyber Essentials For Working Remotely ​

IT & Cyber Essentials For Working Remotely

*This post is written by our co-founder and originally posted on LinkedIn here

IT & Cyber Essentials For Working Remotely

Allowing remote working is one of the biggest requirements in the IT & cyber world right now.

Our March 2020 Boardish Analytics report (https://boardish.io/monthly-analytical-cyber-reports) shows us that “Immobility” has the highest increase of all threat counts for this month, with an increase of 42%

We decided to share some of the basic essentials to allow remote working in a secure way:

IAM Solutions ( Identity Access Management ):

Mainly when working on Cloud Solutions / SAS – enabling IAM features will make a huge difference between working remotely and working remotely in a secure way.

  • Enable MFA – Multi Form Authentication (if you have done so yet – no excuses – your identity WILL BE HACKED )
  • Use Geographical limitations – enable login only for locations in which you have a “logic” / “need” to work from.
  • Connect DEVICE to a USER – make the connection between the device and the user – when doing this you can even enable some access from BYOD devices if you can verify they have the basic required level of security.

Video Conferencing:

Our March report has also shown us a HUGE spike of 371% in “Video Conferencing” as a solution for most ‘immobility’ threats.

* Note: Before the Coronavirus outbreak – Video Conferencing wasn’t considered a “solution” for IT & Cyber Threats.

Video Conferencing solutions are one of the easiest ways of mitigating the current risk and enable business continuity, both internally and with your clients.

Note: that many of Video Conferencing vendors (Like Microsoft with TEAMS ) are offering free tiers for this Coronavirus period.

VoIP solutions:

Most of the “last-gen” phone solutions support VoIP connections, either via applications or devices, it’s now easier than ever to get you phone extension in any location, including your home if required.

Secure Internet Connection:

This is something that is overlooked in many cases when working from home, in most cases, your home router is just not stable enough nor it is secure enough.

We recommend using business-grade routers for your critical employees that are part of your business continuity program, this will make a huge difference both on the stability of the connection and of course securing the connection from unwanted listeners.

VDI & Terminal Server solutions:

In my professional opinion, this is still of the best ways to allow access to your sensitive programs in a secured and controlled environment, even if you are connecting from a BYOD device.

The ability to isolate specific software for specific users and the combination of VDI solutions with IAM makes it of the best possible remote working solutions.

Even a basic terminal server with a locked-down GPO will provide a much more secure environment than working directly on your BYOD computer and more functionality in some cases than your laptop via remote connection.

Cloud Security:

Cloud solutions like file-sharing platforms and online email platform makes the perfect “work everywhere” solution, the productivity factor is huge.

The same solution requires additional security, mostly to make sure you can differentiate sensitive information from non-sensitive, as well as enforce that only authorized sharing of data will occur,

We see in our Boardish ecosystem that most companies that use Cloud Security combine it with their IAM to achieve user & data visibility and enforcement.

We highly recommend having visibility and the ability to enforce your users ( remote and local) cloud activity.

How can you quantify these solutions ROI? – use the Boardish Methodology, below is a sample dashboard we made.

Immobility is a quantifiable threat.

Quantify it and you’re much likely to get fast approval for solutions. (The free version of Boardish all that you need for this scenario.)

– Eli Migdal – the Founder of Boardish

Quantify Immobility Yourself

Explain why/how your solutions work, to a non-techy audience. 

Boardish Starts White Label BI Roadmap

Boardish Starts White Label BI Roadmap

Boardish has moved from BETA to Production! As a tool helping IT and cyber pros quantify cybersecurity risks and solutions to decision-makers we’re constanstly striving to improve the dashboard. And we’ve made a huge step towards a whitelabel BI solution!

We’ve been asked to whitelabel Boardish since we we were in BETA and it’s on the roadmap for later this year. However, we’ve added the logo functionality to customize your dashboard for decision-makers already!

“This is a great starting point for vendors and our service partners to share quantification of solutions to potential customers without the Boardish logo and have their own.” – Eli Migdal, Co-Founder

Why go for White Label BI? 

Oftentimes, IT departments in businesses large and small require a solution that helps them create reports and visualise data in ways that can easily be understood by decision-makers of the company. 

Building your own solution isn’t feasible in many cases, as it takes a lot of time and resources, something that many IT departments struggle with. This is where third-party white label BI solutions come in handy. 

Boardish, in particular, provides a powerful tool that can help visualise the impact of unaddressed cyber risk and efficiency of different solutions, in terms that are familiar to decision-makers – financial impact, delays, the bottom line. 

It would take well over six months and huge budgets to build custom in-house BI tools but you can use Boardish in minutes! Especially because it runs in a web app and doesn’t require deployment or integration with current systems. 

Yet, it might feel unfamiliar and take away focus during meetings to try and explain Boardish.

But the ability to make third-party software look and feel native brings benefits to IT pros and consultants presenting their solutions in front of the board during meetings: 

  • Seeing the company logo when running different scenarios in Boardish brings a sense of familiarity. 
  • The board members won’t be distracted by the tool itself; they will focus on what matters – the data and implications of different threats and solutions.  
  • Increased solution acceptance – cyber risk quantification and solutions won’t feel disjointed but offer the well-known look and feel, so the board members will be more inclined to accept the proposed solution.
  • Company-specific insights – instead of relying on industry data, you work with company data only and present scenarios of cyber threat impact on the specific business, as well as the efficiency of solutions for that specific company. 

In short, Boardish can now help you achieve brand consistency by using its white label BI starter option. 

With our fully white label option coming soon! 

Sign up to Boardish Premium Yearly or Enterprise today to start personalizing your dashboard! 

Start Personalizing your dashboard

Using the first step to White label BI in Boardish for your business! 

Making Sense of AI Cybersecurity Data for Enterprises

Making Sense of AI Cybersecurity Data for Enterprises

Making Sense of AI Cybersecurity Data for Enterprises

CISOs are facing a challenge with AI cyber data points created by software solutions used in their organisation to monitor enterprise security. So, how can they explain the AI cyber data to the executive stakeholders and help improve clarity in their decision making? 

The Problem with AI Cyber Data

Plenty of well-established risk domains, such as credit or market risk, are clear to the board because they are expressed in economic terms—revenue gain/loss, value, and operational costs. 

With cyber risk, the main issue lies in the risk calculation methods—presenting the actual organisational impact to the board is hard without financial numbers to back up claims.

Cybersecurity specialists have started using AI solutions to identify potentially malicious activities and software before they can do lasting damage. These produce tremendous amounts of AI cyber data on detected issues or threats. 

Why It Gets Complicated

AI cybersecurity data helps CISOs present a case in front of the board, but often they can only report what risks were mitigated or potential risks raised and not how much was, or could be, saved in financial terms. 

Making sense of AI cyber data becomes a challenge in itself because key components to calculate financial impact are missing. 

  • CISOs often use qualitative methods to display cyber risk, but these aren’t an accurate method to rely on in crucial decision making. They lack the means to provide a definitive prioritisation for identified risks.

To demonstrate: Risks are ranked on a low, mid, and high scale. How do you quanitfy and explain how much higher the high risk is than the medium one? How do you argue why some risks are medium instead of high?  

  • When using quantitative methods, CISOs use data and events from industry and sector to determine the risk and prioritise cybersecurity solutions. The numbers they rely on are from high-profile breaches that happened recently, with focus on those that have affected organisations similar in size, technology, and inner organisation. But this method is missing a way to demonstrate the actual economic impact on their organisation. 
  • AI solutions used to monitor the organisation are often missing key analytical capabilities. While good at detecting issues and mitigating risk, they cannot show how technology, personnel, processes, and internal policies affect the magnitude and event frequency of each risk or point towards broader systemic issues within the organisation’s security posture.   
  • AI cyber data lacks information on the impact of legal and regulatory changes to the industry. CISOs can only let the executives know that there’s been a change in regulations and that it will be affecting the organisation. Most often, this will require partnering up with the legal team to help with analysis. 

How Can CISOs Get Accurate Numbers for Cyber Risk? 

Organisations must know figures because they help them decide which risks must be addressed first, and help reduce the uncertainty when choosing risk mitigation solutions. 

Industry-wide data provides just a ballpark figure and isn’t accurate enough. 

CISOs must transform AI cybersecurity data into information the board will understand and know how to work with—this means using actual numbers and financial impact on their organisation. 

The technical data they get from AI solutions is a good start, but they must include regulatory impact and also check and validate the data from AI tools before they go to the board. This is the only way to paint a complete and accurate picture.

Instead of presenting industry events that happened or rely on past incidents, they can use tools that convert AI cyber data from their cyber solutions into actual numbers for security events related to their organisation. 

The right tools help them transform the data to financial terms that the executives will understand. This way, they will have an easier time getting approval for cybersecurity investments and defending their risk management decisions.   

More importantly, CISOs must make time to check these numbers regularly as it helps create benchmarks that are based on their data instead of wider industry data, providing the most accurate data points for decision-makers to work with.  

Using AI Cyber Data to Create a Full Picture

The changing nature of the cybersecurity environment and the regulatory framework requires frequent security posture analysis and fine-tuning areas with lacking results. This is only possible with using AI cybersecurity data related to your specific organisation and quantifying it. 

Boardish helps you get back control over AI cyber data by quantifying and validating all data before you bring it to the board. 

Get control over your AI data

Explain it in terms they understand, speak Boardish. 

Where to Find Out About Cybersecurity Events

Where to Find Out About Cybersecurity Events

identify business cyber threats

Without a way to identify business cyber threats yourself, you can only wait for an attack, which will cost more than taking a proactive approach. 

This means doing some legwork to keep up with new developments in both cyber threat and solutions.

But where can you find out all the latest developments on cyber threats? 

You can start with data sources that keep track of the common vulnerabilities and exposures (CVEs) – such as official CVE sources, security blogs, publications, groups, and vendors who share news about the latest CVEs.

CISOs struggle to keep up with new cyber threats 

Your primary focus should be CVE news about vendors and systems that your business is currently using, and their impact on your systems (Common Vulnerability Scoring System – CVSS). You must be able to react quickly if the severity rating is high or critical.   

But the CISO’s management of security risk is becoming increasingly complex, partly due to threat actors. They are becoming more aggressive, using automated methods and disseminating more malware with fewer resources to do so. 

This rapid increase in attack frequency leaves CISOs overwhelmed by the volume of attacks, the number of malware variants, and their volatility. 

Such trends make it increasingly hard for CISOs to identify business cyber threats, monitor the attack surface exposure, or even analyse the cyber risk

Seeking cyber threat information in the right places 

CISOs can make their job easier by actively following security blogs and groups that share updates on CVEs, as well as official CVE sources.

The best option is to subscribe to cybersecurity groups, news sites, and big vendors to get the info from all relevant sides: the vendor and researcher angle, with focus on systems and vendors they are using. 

Some places that help are AON that releases annual cyber risk reports. They are a good starting point for identifying business threats with the highest risk for your particular industry and business type.

  • CIS has a great cybersecurity information hub. It’s updated regularly with new business threats, outlooks, and advisory news, and has a top list of malware for the previous month. 
  • Microsoft’s blog shares diverse information and keeps its CVEs up to date. It explores topics on security priorities, cyber risk assessment, regulations, and solutions, among others.   
  • Malwarebyte’s blog shares educational articles, how-to guides, and weekly news roundups on cyber events. Sophos Naked Security blog discusses the newest security events, settlements, leaks, vulnerabilities, and hacks, and has their own security podcast.  

CISOs must make it a habit to check for new developments at least several times per week.

Finding cyber threats on the dark side 

Zero-day cyber threats are troublesome because most responses to them are reactive because vendors and developers didn’t share an update on the existence of CVEs just yet. 

Lots of security professionals feel as if there isn’t adequate information out there that would help them stay safe from these attacks. 

Browsing the dark web forums for possible vulnerabilities is one solution – just ensure that you stay in the legal zone while you do so. 

You will stumble across blogs on the dark web that mention exploits without an official CVE record. It doesn’t mean the threat is negligible; it just means the vendors or developers are unaware of it at that time.

Threat actors will often stay a step ahead, so use this to your advantage and check dark web sources and make sure to gauge the impact on your systems anyway. Just in case. 

Only a proactive approach like that will help you identify business cyber threats and minimize the risks of zero-day attacks. 

Overall

The cybersecurity landscape is experiencing shifts almost daily, so you’ll have to dig into the news at least three to four times a week (if not more) to stay up to date. Proactive searching and focusing on cyber risk mitigation is the only right approach here. A reactive approach doesn’t include mitigation. By the time you react, the damage is already done!

Be Proactive

Explain why/how your solutions work, to a non-techy audience.