beebright - stock.adobe.com

Making threat intelligence greater than the sum of its parts

Organisations can become more secure if they join up their varied sources of intelligence about business threats, and avoid losing valuable information within individual silos

Far from being an activity solely undertaken by law enforcement and government agencies, effective intelligence can provide businesses with a wide range of benefits. These include reducing fraud and financial crime, enhancing cyber security and providing market insight to support better investment decisions.

Despite this, many organisations do not effectively unlock its full potential. Typically, companies do not recognise where intelligence can be found within the business, or worse, fail to coordinate the flow of intelligence across disparate functions.

For example, one team may identify suspicious transactions, but fail to realise the importance, or share this with another team that has identified separate but interconnected indicators of fraud elsewhere. This makes it harder to join the dots and take action early.

Both these problems often occur when an organisation has grown organically and where responsibilities, technology and skills have become misaligned as the business develops. This can lead to missed opportunities and a reduced ability to manage emerging threats effectively.

There is a further problem for organisations that have many different points of contact with customers, such as financial institutions. Criminals can often exploit a lack of intelligence-sharing between independent business areas to carry out fraudulent activity multiple times, knowing that the patterns of their actions are less likely to be noticed.

In the case of the 2018 Ticketmaster data breach, links between fraudulent transactions and customers having made a prior purchase through Ticketmaster were not immediately identified, resulting in considerable loss to customers and banks in particular.

These examples underline the need for organisations to ensure they have the capability to detect and defeat such threats. They also need to recognise that the skilled people they have are often working in silos, increasing the likelihood that they will fail to respond effectively. 

So how can organisations unlock the full value of intelligence and use it to support effective decision-making?

Assess intelligence capabilities

To address these challenges, organisations need a clear understanding of the nature and maturity of their current intelligence capabilities. They can then use this to work out what they need to do to improve those skills and how to manage the necessary business and process change.

As there is no recognised standard for assessing the effectiveness of intelligence, it is necessary to use a wide range of best-practice resources. These can help to look at the whole value chain and assess how different elements align to and support intelligence cycle activities.

Read more about threat intelligence

The development of an effective intelligence capability must be focused on customer needs and around helping stakeholders to set appropriate and relevant intelligence requirements from the start.

Intelligence products, such as those provided to senior stakeholders to warn of potential risks during acquisitions or threats to staff travelling overseas, should closely align with this need and add insight and value, rather than simply providing readers with raw, news-like information. Achieving this ensures that customers from across the business can make effective, intelligence-informed decisions.

Governance and coordination

As with other business areas, the right governance and a centralised coordination function with senior oversight and clear routes to the executive are also vital in building an effective intelligence capability. They can also support a range of important activities, such as collection, storage and processing of intelligence feeds.

Developing centralised IT systems, processes and views of the threat landscape, for example, will help to enhance the value of intelligence products by proving consistency and a common baseline from which to ground intelligence assessments.

Governance and centralised coordination will also enable organisations to answer intelligence requests from across the business in a more efficient and comprehensive way by coordinating the activities of specific intelligence teams and reducing duplication of effort.

But developing a more mature intelligence capability does bring challenges. These include recognising that intelligence is about more than just technology, processes and style guides and that cultural change across the business – rather than just within the intelligence community – is crucial.

The strategy also needs to ensure that users know where they can actively access intelligence, understand how to use this to support decision-making, and be encouraged to provide regular feedback to support continuous improvement.

Ultimately, a well-briefed, fully motivated and intelligence-led workforce provides by far the strongest defence from threats and has the potential to unlock the most opportunities.

Elliot Rose is head of cyber security, and Matthew Arnold is a cyber security expert at PA Consulting

Read more on Security policy and user awareness