How to Guide Your Security Program with a Cybersecurity Risk Taxonomy

It sounds logical, but research suggests that many security managers lack knowledge and understanding of cyberattacks, the tools and techniques that hackers use, and the vulnerabilities they exploit. Without this understanding, it can be hard to determine the best way to mature your security program.

If you are struggling to keep pace with what today’s bad actors are up to and how to protect your organization against these threats, a cybersecurity risk taxonomy can help.

What is a cybersecurity risk taxonomy?

A cybersecurity risk taxonomy is a powerful tool that identifies the risk vectors that your organization will likely face. With this insight, it becomes much easier to communicate cyber risk to the C-suite and board of directors, advocate for resources, and implement the right protections.

A cybersecurity risk taxonomy is structured around five main classes: 

  • Internal network risks
  • Employee-generated risks
  • Social engineering attacks
  • Cloud-based attacks
  • Third party threats

Let’s look at these classes and the measures your organization can take to reduce the risk posed by each.

evolution of the ciso whitepaper

In the midst of facilitating organization-wide digital transformation, the CISO also must undergo his or her own professional transformation to keep up with a world in serious need of cybersecurity leaders. 

Download Whitepaper
Button Arrow

1. Internal network risks

Failures and vulnerabilities within your organization’s digital environment are a significant cause of cybersecurity risk. These risks can stem from misconfigured software, improper security settings, coding issues, poorly integrated systems, and a failure to apply patches in a timely manner.

Indeed, when BitSight analyzed hundreds of recent ransomware events, we found that organizations who were slow to implement system patches were seven times more likely to become victims of ransomware than those who maintain a regular patching cadence. Similarly, companies with a low-grade for TLS/SSL configurations (a top vulnerability that hackers look to exploit) are nearly four times more likely to be ransomware targets than those with strong security programs.

Clearly, basic cyber hygiene matters. But identifying internal network risks at scale isn’t easy. 

BitSight can help. Instead of cobbling together insights from siloed security tools, BitSight for Security Performance Management lets you continuously and automatically identify network vulnerabilities – on-premises, in the cloud, and across business units and geographies – from a single dashboard. With this enterprise-wide visibility you can quickly prioritize exposed systems based on criticality and remediate risk before the systems are exploited by the bad guys.

2. Employee-generated risks

The actions of people, whether deliberate or accidental, are a leading cause of cyberattacks. Typically, these actions can be broken down into three subclasses:

  • A lack of understanding of the basics of cybersecurity hygiene, such as spotting and reporting a phishing email.
  • Inadvertent actions, including connecting to an insecure Wi-Fi network or downloading a compromised file.
  • Deliberate actions, such as fraud, sabotage, or data theft.

Cybersecurity policy and training is critical to reducing these insider threats. Don’t just focus on how security awareness impacts the company; make sure that employees understand that security is about them, too. Educate them on how and why they are targets, the ramifications of a breach on their productivity and job security, and how to protect themselves at work and at home.

In addition, find ways to automatically monitor and control access privileges. Employees should only have the appropriate level of network access they need to do their job.

3. Social engineering attacks

Thanks to the surge in remote working, social engineering attacks – like phishing schemes – are on the rise. After all, it’s much easier to impersonate a colleague, executive, or business partner, if your interaction with them is via digital mediums. These attacks have also increased in sophistication, today’s hackers use new vectors that build credibility over time and manipulate their targets into making mistakes, such as transferring corporate funds into the hands of fraudsters.

Training can help educate employees on these psychological-based attacks, but to ensure each new vendor is legitimate and reduce the risk of financial fraud, security and risk management teams must develop policies for more rigorous third-party vetting and due diligence. Read more about social engineering and how attackers exploit people’s vulnerabilities. 

4. Cloud-based attacks

If your organization stores digital assets in the cloud, it could be vulnerable to attack. According to the 2021 Verizon Data Breach Investigations Report (DBIR), 73% of all cyberattacks targeted cloud-hosted assets – making this class of attack a critical part of any cybersecurity risk taxonomy.

Key to mitigating cloud risk is understanding the shared responsibility model. Under this model, cloud service providers are tasked with securing their cloud architectures while your security team is responsible for securing organizational data stored in the cloud. To do this, you need continuous visibility into blind spots such as misconfigured cloud services and software vulnerabilities. After all, you can’t secure what you can’t see.

Read more about five things you can do to protect against cloud-based attacks.

5. Third-party threats

In today’s highly interconnected business ecosystem, third-party risk can have a huge impact on your organization’s security posture. Flaws in the cyber defenses and practices of your vendors, service providers, and business partners can put your data, systems, and networks at risk.

To protect against third-party risk you must evaluate your business relationships to understand which vendors you do business with, their relationships with subcontractors, and where cyber risk exists in their digital environment. Cybersecurity audits and periodic assessments can help with this task, but a better and more scalable approach is to use a continuous monitoring solution like BitSight for Third Party Risk Management

With BitSight, you’ll get an immediate, near real-time snapshot of your third parties’ security postures – both before onboarding and for the life of the relationship. If a vendor or partner’s security rating drops, you’ll get automated alerts so you can quickly work with your vendor to mitigate the issue.

Get one step ahead of the bad guys

With a cybersecurity risk taxonomy in place, you can now begin a holistic strategy to focus your security program and mitigate cyber risks. 

As you do so, it’s important to note that these risks are interrelated and the impacts of a weakness or vulnerability in one class can cascade into another. Furthermore, as the cyber risk landscape evolves and your digital environment continues to expand, plan to revisit this cybersecurity risk taxonomy on a regular basis so you can proactively guide your security strategy and stay one-step ahead of the bad guys.  

h