World Economic Forum rates Cyber Attack Risk

Published: 31 March 2016

Andy Harris, looking at the data from the world economic forum

By Andy Harris


Recently we've come across this research from the World Economic Forum here. Here we've reworked the data to show both the risks in terms of impact and probability along with the trends:

World Economic Forum, Risks and Trends

We've faded down all the non-technical risks and shown to top right quadrant. To some this obviously shows that cyber attacks should be the board's primary concern, to us it shows that risk is very high, very probable and set to get worse.

But that single blob representing cyber attacks is great for 'board based fear factor', however it doesn't help the teams that have to deal with security (apart from easier budget justifications). Those teams need the detail - what are the attack vectors? what attacks are being successful and how are they blocked?

The Cyber Attacker's Killchain

SIEM solutions can generate a lot of noise, especially when left static, they may be optimised to alert particular types of attack, but as these attacks change the real data can be lost in noise. Of course this is just the progression of 'log all the things', 'patch all your servers' and 'keep up to date'.

At Osirium we propose an additional strategy: 'reduce your attack surface'. You'll notice from the Killchain diagram that all attacks have to go through the escalate privileges stage. 99.9% of attacks do so by gaining access or control of Privileged Accounts. That's where Osirium helps. It separates people from passwords (PUM), and with it's task scheme (PTM) many people will never need access to a Privileged Account. Since the biggest attack vectors are the vulnerabilities of User's workstations and the phishability of the users themselves we'd say that Osirium was a major contribution to Cyber Safety.

Release Date: 
Thursday, 31 March 2016
Article Type: 
Blog Post
Author: 
Andy Harris