The type of threat faced is shaped by the nature of organization and the services an organization provides. Understanding the threats faced by your organization, either in its own right or because of who you work with, will enable you to tailor your organization’s approach to cyber security investment accordingly. You need to consciously make the decision about what threat you are trying to defend against, otherwise you risk trying to defend against everything, and doing so ineffectively.

An understanding of the cyber security threat landscape will be key to helping the Board make well-informed governance decisions. The Board will already have insight into the threats or challenges facing their sector. This should be complemented by an awareness of the motivations of attackers, and a mechanism for staying up to date with key cyber security developments (for example, the growth of ransomware).

One of the best sources of information on good practice and relevant threats can be your sector peers. Attackers often target a number of organizations in the same sector in a similar manner. Cultivating these collaborative relationships on security has two major benefits. Firstly, it can help make your own organization more resilient, through early warning of threats and improved cyber security practice. Secondly, it helps make the sector as a whole more resilient, which can reduce the appeal to potential attackers.

Working out the ‘threat actors’ (the groups or individuals capable of carrying out a cyber attack) relevant to your organization can help you make decisions on what you are actively going to defend against. While investing in a good baseline of cyber security controls will help defend your organization from the most common threats, implementing effective defenses against a more targeted or sustained attack can be costly. So dependent on the likelihood and impact of that threat, you may decide that it is not worth that additional investment.

Ongoing discussion between the Board and experts will help you to prioritize the threats to actively defend against. The experts will have an in-depth understanding of the threat, and the Board will be able to identify the features of the organization that might make it an attractive target to attackers. It is also critical to have this discussion in advance of any decision that will significantly change the threat profile of the organization, in order to give technical staff the time to suitably adapt the organization’s cyber security.

When assessing the threat, you should consider not only the value that you might have as a standalone organization, but also the value you may represent as a route into another, possibly larger organization.

An un-targeted attack is where an attacker uses a ‘scattergun’ approach to reach thousands of potential victims at once, rather than targeting a specific victim. Attackers often use automated, widely available tools that scan public-facing websites for known vulnerabilities. This same tool will then, once a vulnerability has been found, exploit that website automatically, regardless of who it belongs to. This could have just as much impact on your organization as a targeted attack. A good baseline of basic cyber security controls and processes will protect your system from the majority of these attacks.

You will need different types of threat intelligence for different purposes. A good overall threat picture is needed for governance decisions and timely threat intelligence for day-to-day and tactical decisions. Many industry and government partners offer threat intelligence, from annual reports on general trends, right down to highly technical reports on a specific type of malware. You therefore need a mechanism for identifying what intelligence your organization needs, for what purpose and for sharing that intelligence internally. Critically you then need to use that intelligence to inform business decisions, including procurement, outsourcing, training, policy and defense of your networks.

You can also gather threat intelligence internally. You will likely have experience of attacks on your own organization which can provide strategic insight into activities of threat actors, as well as tactical details on the methods of the threat actors. These specific details will likely come from logging or monitoring within your organization.

The following questions can be used to generate productive discussions with your technical team. The aim is to identify what constitutes ‘good’ cyber security in terms of understanding the cyber security threat to your organization.

This assessment should:

• identify potential motivation for those threats and the likelihood of them targeting your organization

• inform which risks you are willing to tolerate

• be enriched by collaboration with key partners in your sector

• be supported by evidence from the attacks you have experienced to date

You might:

• seek to discover evidence of any attacks in system logs you may hold

• subscribe to a number of threat intelligence feeds

• be part of a sector-specific intelligence sharing group

• have mechanisms for sharing key cyber threat updates internally

This should be a continuous cycle with threat assessments informing BAU decisions, and BAU experience informing the threat assessments. Examples might be:

• assessing the likelihood and impact of threats to inform risk assessments and appetite

• educating staff on the key threats they face so that they can make informed decisions

• taking lessons from previous incidents to inform threat assessments

• using threat intelligence to focus defensive measures

• including threat consideration in change or procurement decisions (for example, when choosing a new enterprise IT provider, considering a potential merger or designing a new product).