Without a way to identify business cyber threats yourself, you can only wait for an attack, which will cost more than taking a proactive approach.
This means doing some legwork to keep up with new developments in both cyber threat and solutions.
But where can you find out all the latest developments on cyber threats?
You can start with data sources that keep track of the common vulnerabilities and exposures (CVEs) – such as official CVE sources, security blogs, publications, groups, and vendors who share news about the latest CVEs.
Your primary focus should be CVE news about vendors and systems that your business is currently using, and their impact on your systems (Common Vulnerability Scoring System – CVSS). You must be able to react quickly if the severity rating is high or critical.
But the CISO’s management of security risk is becoming increasingly complex, partly due to threat actors. They are becoming more aggressive, using automated methods and disseminating more malware with fewer resources to do so.
This rapid increase in attack frequency leaves CISOs overwhelmed by the volume of attacks, the number of malware variants, and their volatility.
Such trends make it increasingly hard for CISOs to identify business cyber threats, monitor the attack surface exposure, or even analyse the cyber risk.
CISOs can make their job easier by actively following security blogs and groups that share updates on CVEs, as well as official CVE sources.
The best option is to subscribe to cybersecurity groups, news sites, and big vendors to get the info from all relevant sides: the vendor and researcher angle, with focus on systems and vendors they are using.
Some places that help are AON that releases annual cyber risk reports. They are a good starting point for identifying business threats with the highest risk for your particular industry and business type.
CISOs must make it a habit to check for new developments at least several times per week.
Zero-day cyber threats are troublesome because most responses to them are reactive because vendors and developers didn’t share an update on the existence of CVEs just yet.
Lots of security professionals feel as if there isn’t adequate information out there that would help them stay safe from these attacks.
Browsing the dark web forums for possible vulnerabilities is one solution – just ensure that you stay in the legal zone while you do so.
You will stumble across blogs on the dark web that mention exploits without an official CVE record. It doesn’t mean the threat is negligible; it just means the vendors or developers are unaware of it at that time.
Threat actors will often stay a step ahead, so use this to your advantage and check dark web sources and make sure to gauge the impact on your systems anyway. Just in case.
Only a proactive approach like that will help you identify business cyber threats and minimize the risks of zero-day attacks.
Explain why/how your solutions work, to a non-techy audience.