Cybersecurity 101
For many businesses, the last few years have changed information security significantly.
- Data privacy regulations require compliance and diligence. Failing to maintain a strong cybersecurity posture can not only get you in trouble with the regulators but can also significantly damage your reputation
- Digital transformation and the move to Cloud services have increased complexity in IT infrastructure
- The threat landscape has increased in breadth and depth, with more attacks, more kinds of attacks, and more targeted attacks
All of this means that the defence perimeter has shifted, threatening your cybersecurity posture. As such, cybersecurity teams are starting to evolve from a network-centric approach to a data-centric approach.
Protecting what’s important to your business
To remain relevant and competitive, your business has to digitally transform and become data-driven in almost every aspect. Data is used to help define strategy, improve customer experience, accelerate research and development, drive recruitment and much more. If this data is lost, stolen or given to competitors or criminals, it can impact your business significantly. This data falls into four key types:
- Details about your infrastructure and software and cybersecurity framework that can help bad actors mount a cyber attack
- User credentials for your applications
- Personally identifiable information (PII) about your staff, customers or other individuals your organisation work with
- Business-critical data which is used to provide services, run and organise your business
Protecting your data, wherever it lives
In the olden days, cybersecurity was arguably easier. You knew precisely where your data was. You could probably even see the racks of machines in your server room from your desk or visit it when you needed to. Nowadays your data is everywhere, creating new challenges for maintaining both your cybersecurity posture and your cybersecurity framework. But, for argument’s sake and for the purposes of cybercriminals, they know it lives in three types of locations.
- In your network – either on-premise or Cloud-hosted
- In your digital supply chain with partners or on 3rd party apps
- Outside the business – on individual devices or surface, deep and Dark Web sites
Keeping control of on-premise data and cybersecurity systems is straightforward enough, and no doubt you already have systems in place to manage security. Cloud security adds additional process and complexity. But, it’s when data leaves the business, things start to get tough. Requiring suppliers to conform to standards is a good first step, on-going cybersecurity enforcement is harder. The cybersecurity role increases in scope and complexity. Not least because your partners and suppliers will also be reliant on third-party suppliers themselves; only increasing digital risk and extending your cybersecurity framework further. And to top it all, data could be stored on devices or shared on emails using insecure networks. All of this means that your data could end up on sites without your permission, your knowledge or your protection. How do you ensure your cybersecurity capabilities are up to scratch?
How do you stop your data escaping?
There are two main ways that data breaches can occur. The first is the insider threat. Staff who work for you or your partners can accidentally lose data. A misaddressed email or lost phone incident can happen to any business but it’s worth considering risks from former staff, especially if there’s been bad blood. Insider threat is, in fact, the biggest cause of data breaches in the UK.
The second type of threat comes from a malicious attack. These can come in many forms, which often depend on the motivation for the attack.
How do you know if your data is already out there?
Chances are, you won’t. That’s because most businesses use one type of security solution. That is, cybersecurity capabilities that are focused on defending the network and the data inside it, not data beyond the firewall. And this is where Digital Risk Protection comes in – looking for your data and threats to your data outside the firewall.
A recent sample of UK SMBs revealed that over 70% had had sensitive data leaked or stolen and were unaware that it had been shared or sold. This kind of knowledge can help you take the right actions to reduce the threat of sensitive data getting into the wrong hands. You can easily discover if your organisation is in this situation by requesting a digital footprint report from Skurio. We'll let you know if your data has been shared and provide helpful advice on what to do next.
Threats are evolving
The more sophisticated our cyber systems become, the more sophisticated the types of methods people will use to get through any protections we have placed around them. The rest is a well-known story; we play a continual game of cat and mouse with cybercriminals and other bad actors to make sure that our company systems and information are secure. The sophistication of our protections are almost always matched by someone who has found a way to hack them. In terms of maintaining cybersecurity skills and selecting the right products, we need to advance to stay ahead of the game.
Let’s jump forward and look at the current state of cybersecurity and examine the newest threats and realities.
Self-propogating malware
Most of our concerns with preventing malware and viruses from causing damage to our systems have involved training users (a.k.a “humans”) to not click on mysterious links, or open attachments from unknown parties. Unfortunately, the threats of malware have mutated. While we still need to pay strong attention to the human element (we are still the “weakest link” in the system), there is a new set of threats. The latest forms of malware are now network-based; humans are not as necessary to spread them anymore; they are now self-propagating. All it takes is one user in the system to accidentally introduce an intruder and bad actors can start to take control over the entire system.
What makes this worse is that new cryptoworms are of modular design. They enable attackers to trigger elements when they are deemed necessary. In other words, if one area gets remedied, others can be triggered remotely, they can switch tactics. All it takes is one talented and motivated criminal to have gained access to the network and they can control it as needed, significantly reducing cyber resilience. Often the initial entry is undetected; bad actors are becoming more sophisticated and after they find a way in, they wait until an opportune time to take over a system.
We have all heard of cases of ransomware, where bad actors hold systems hostage until paid off. It's one of the biggest risks to computer security. However, now ransomware is being used for methods beyond simple ransom; the overall goal can be simply destructive of systems and data.
Another troubling new advancement is that it is getting harder to find these invaders; they are stepping up their evasion techniques. They are now using cloud services for command and control, making it harder for traditional security tools and network security measures to be able to detect this traffic. Threats are also being hidden in encrypted traffic.
Internet of Things
Companies are using the Internet of Things (IoT) more and more than in the past, using smart locks, connected cameras, smart lighting, thermostats and more. These tools make the process of managing offices far more efficient.
Unfortunately, IoT devices usher in their own cybersecurity threats; and are often deployed by operational tech and not IT departments. These devices are often unmonitored and provide back doors to other systems. Many endpoints have few security capabilities. Hackers who find their way into a company’s network through these devices may suddenly find themselves deeply embedded into more crucial systems.
Human vulnerability
Regardless of the automated attacks mentioned above, it’s important we remember that humans are still the most common source of breaches, especially if they lack cybersecurity awareness. We are still vulnerable to social engineering and phishing.
One area where cybersecurity risk is increasing are with Remote Desktop Protocol (RDP) attacks. These are attacks using the computer security software used by IT departments for gaining access to a user’s computer to solve issues without being physically present. By impersonating support professionals such as your cybersecurity analyst, bad actors are being handed direct access to users’ computers and all the access that they have to other systems.
Increased use of cloud services also introduce a new type of information security vulnerability. While cloud providers offer wide ranges of security, they are generally only effective if correct security protocols are deployed. While it may be tempting to trust the providers for security procedures, the connection points between users, particularly with mobile devices, are a key target for bad actors.
Who are the attackers?
While typically we have assumed that those attacking our systems are individual bad actors or organised hacking groups, there are more probable threats. We have heard about attacks from external nation states and/or companies looking to steal intellectual property and more, however, insiders can also be a threat.
Within an organisation of any size, there’s always the risk of individuals who have access to proprietary knowledge or secrets of a company that can turn against their employer. This can include disgruntled employees, or anyone who has been compromised in any way. If an individual is being blackmailed for any reason, or if they have proprietary knowledge of how the system works, they can become a serious threat for a company. These people often know how to bypass your computer security measures.
Even though many companies will automatically shut off all email and access to former employees, it is quite possible that a former employee could leave a backdoor into a system to later gain future access.
It's not just big businesses that are being targeted
You might think that your company is simply not large enough to be in the sights of bad actors, but in fact, a wider range of businesses are now being targeted. According to the Hiscox report, small, large, governmental agencies, and more, are being targeted by hackers. What’s worse, more and more firms are failing cyber-readiness, vulnerability management and computer security tests.
Cost to your company
Beyond the cost of lost data, there are several other possible places that breaches of security are causing losses to companies. The Hiscox report has shown that the mean loss for firms has risen to approximately $370,000 (US) per attack.
In case you don’t already have enough incentive to focus on your cybersecurity framework and keep your company’s data secure, GDPR regulations in Europe can result in large fines for any companies that allow breaches of information about consumers or employees. This too is expanding to other areas; many states in the US may be applying new fines for companies who accidentally reveal confidential information about individuals.
Beyond these immediate hits to your bottom line, there are many secondary effects which can do tremendous amounts of damage to a company. People often feel unsafe doing business with a company who has revealed their information to bad actors. Even if this was not the intent (when is it ever?) it provides an image of your company as one that is unprofessional; if you can’t keep your data secure, a reasonable question for an average person might be how seriously are you treating the rest of your business? Shareholders may depart at record speed. A weak cybersecurity framework and a perceived lax attitude to computer security can cost your brand dearly.
How to determine if your cybersecurity is failing you
Sometimes it can be difficult to identify whether your cybersecurity framework is up to scratch. If you feel like you may not have a good enough cybersecurity policy, there’s a high likelihood that this is indeed the case.
Here are a few questions that you should be asking yourself to determine how ready you are.
Do you think you’re too small to be a target?
According to Hiscox, there’s very little correlation between size of company and the likelihood of an attack. More than half of all small businesses studied, reported a breach of some sort, and about half of these suffered multiple incidents.
In fact, the smaller the company, the less likely you are to have a solid plan in place, therefore increasing your vulnerability.
Can you defend against zero-day attacks? Multi-vector? Polymorphic?
Whilst we have traditionally been able to protect against most attacks with robust firewall rules, a whole new set of attacks that take advantage of software vulnerabilities and have the ability to mutate to take advantage of these weaknesses are starting to become common. These attacks focus on network, cloud, and mobile devices at the same time making the security tasks considerably more complicated. According to Checkpoint, only 3% of companies worldwide are prepared to protect themselves against these types of attacks.
Too much data
Companies that can’t maintain control over their own data will be unlikely to be able to detect if there is an intruder. Make sure you maintain a good analysis of what information you hold.
This is, of course, particularly difficult in this era of Big Data, however this only serves to underscore its importance. If bad actors can find a way to hide their activity as a needle in a haystack, they will.
No incident response plan
Do you have a plan in place if (when) a breach occurs? Do you have personnel who have the ability and resources to respond to an attack? Do they know what to do? Do you have backups already in place? How about disaster recovery? How much downtime can your business afford in the event of such a breach?
Security is not being given priority at top levels
If security is not taken seriously by the board, or not given a place at the table, there’s a likelihood you are vulnerable. Cybersecurity is something that needs to be considered within any areas of business risk.
It’s as crucial to your business as the locks on the doors of your building. You have a lot to protect, including customer data, employee data (which can be used for phishing and social engineering attacks; it’s like fish bait), trade secrets, intellectual property. Also it’s important to recognise the risks associated with the Internet of Things (IoT), as your physical assets could come under attack, including HVAC systems, phones, scanners, and more.
Employees not held accountable
You can have rules in place, but if breaches occur, individuals need to face the consequences of their actions. Too often it is dismissed as “people being people” and folks are given a lecture about security, or required to take an annual security test, but nothing comes of it. If an individual’s account is associated with a breach, there needs to be clearly communicated consequences of what can happen to a person, and to the company, if procedures are not followed.
Too much faith in perimeter defence
Whilst strong firewalls are important, you can assume that once an intruder gets in, they will move freely about a network. You need to have more layers of defence, such as quarantining systems inside the network. There should be some triggers that can be fired if a breach has been identified, either automatically (for instance, recognising certain types of network activity) or manually.
Too much on prevention instead of detection and response
Of course, prevention is important, but discovery can be time-consuming; regularly scan your systems to identify if anything unusual is occurring. In many cases, it can take many months to detect whether a breach has occurred.
Just because you haven’t identified a breach does not mean that it has not occurred. There are even chances that regular scans of your own system don’t pick up invasions. This is why you need to regularly scan Dark Web marketplaces for the existence of any company data. (Find out how Breach Alert can help).
This serves the function of both being able to minimise any impact of breaches which have occurred but also serves in prevention against possible future attacks. If you are aware that network information is being shared, you can adjust your internal protocols to make sure that this information becomes obsolete, and therefore useless to a bad actor.
It’s not uncommon for businesses to experience data breaches without even realising but there are some tell-tale signs. Employee data breaches can lead directly to an increase in spam and phishing attacks. A breach of network details may result in a denial of service (DoS) or distributed denial of service attack (DDoS).
Relying solely on compliance
Whilst compliance is a good motivating factor, too many companies rely on it as a benchmark to ensure the safety of their systems. Regulations being what they are, are often made up of compromises, and not all in the interest of tighter security. Remember that cybercriminals are seeking any loopholes they can find; if they believe an area exists for an exploit that is not covered in regulations, you can be certain they will be attempting to take advantage of this.
Other indicators
Beyond the above-mentioned items, there are other ways in which vulnerabilities could be exploited without raising the alarm in your security operations centre.
The business areas may become aware of sudden changes in revenues. If there is an unexpected drop in your profit margins, it’s worth paying attention to whether gift card codes have been hacked or discount codes obtained.
A sudden drop in revenue could mean your brand is being impersonated or criminals are counterfeiting your products. Also, your customer data could have turned up on the Dark Web or other marketplaces enabling fraudsters to target your customers.
Do you need a CISO?
Bringing in another layer of management is something many companies may be resistant to. If it’s not generating revenue, it can be a hard pitch to the board to create new upper management level positions. However, if someone examines the potential loss to a business if they don’t act, it can become a different story altogether.
As a rule, it’s a bad idea to wait until after an incident has occurred to act. One well-known case, the U.S.-based company Target suffered a massive breach when their credit card machines were simultaneously compromised. It wasn’t until several months until after this occurred that they hired their first CISO.
It makes sense to bring in security professionals early. In fact, many smaller start-ups wisely bring in security professionals as some of their very first hires. This is particularly important if you are dealing with customer data.
Sometimes bringing in a CISO is done to navigate the massive amount of legal regulations (particularly in heavily regulated industries such as banking and healthcare). However, these aren’t the only reasons you should consider hiring a CISO.
Your company has grown large enough where security is considered to be a “board level” activity
This one is a no-brainer; for large companies it makes sense that security be considered a top-level position. If the board becomes aware of security issues (which by now, we’re hoping that they already have), you will want to have someone in place who has a direct voice to the top technology, information, and economic officers.
You need someone with a higher-level view of security
Whilst you may consider keeping someone at a director-level position, it’s important sometimes to look beyond the day to day activities of information security; you need to take a more holistic view so as not to get caught up in the weeds of reviewing and updating firewall rules.
You need your in-house security professionals, and you likely don’t want to take them out of their existing roles handling the important tasks of securing your systems. It’s hard to find quality cybersecurity talent.
For this reason, it may make considerable sense to bring in someone else from the outside to handle the big picture.
When the risk is too great to operate without a safety net
Another solid reason for considering a CISO is quite simply because the risk is too high. The costs can override any objections to the initial costs.
Many companies reach the point where they no longer have an appetite to allow IT staff to learn reactively when an attack occurs. At some point, it makes sense to bring in seasoned security executive personnel to your company.
Having a plan in place can be crucial to success, and employing someone who manages this can be extremely important for many companies. Whilst you may be thinking of delegating some responsibilities to members of your team, and this is of course a good idea, you still need someone who has the responsibility for managing the security of your operations. Depending on the size of your company, this can become a full-time job in itself.
Finding a CISO
It’s important to find a qualified person to handle your CISO responsibilities.
Be prepared: it will take time, money and effort to find the right candidate for a leading cybersecurity role in your business. There’s a lot of competition and a dramatic skills shortage. Even if you secure the right talent, be aware, the average tenure of a CISO is around 24-48 months.
It’s worth considering what you can achieve in bolstering your cybersecurity position with the resources you have, some training and a few tools that can help with automation.
Conclusion
Managing cybersecurity and maintaining a strong cybersecurity position is no small task. As we are in a cat-and-mouse approach with cybercriminals, we are often playing catch up. No matter how safe we think our systems are, there is no such thing as a completely secure and protected infrastructure.
Breaches occur. It always helps to add an extra layer of protection, by employing Skurio’s BreachAlert to notify you if your sensitive data has somehow made its way out of your company. Download the eBook now, and learn how and why you need to use Skurio to not just minimise external threats, but also to potentially thwart attacks before they have occurred.
