Cyber Resilience

Cyber security then and now

23 September 2021 | Scott Nursten

Don't be an ostrich. Cyber has evolved. Has your cyber security strategy?

Your chance of being hit by an impactful cyberattack is nearly 50%. Most business heads look away when it comes to security, assuming IT has it covered. It’s time to put cyber resilience on the board agenda to avoid serious damage

Worms have grown legs

Remember the good old days, when a virus only created an annoying disruption? Now a host of cyber threats are everyday occurrences: and they all carry a cost.

No business is too small. Stories of Microsoft and Tesla employees offered millions for access to corporate data can lull SMEs into the false assumption that they couldn’t possibly be a viable target. Bad actors expertly monetise any corporate data and are ingenious at grabbing it. Even savvy users are fooled. A client came to us having lost £300,000 through a phishing invoice hijack.

Recovery and reputational costs can be high, often come with GDPR or other regulatory fines and business is still heavily disrupted.


Attack vectors: paths used to attack your organisation

In the past, attack vectors were few: predominantly basic network trojans / worms and viruses. These were clumsy, blundering through an open port or arriving via email.

Threats today cleverly exploit every opportunity: stolen or weak credentials, disgruntled insiders, poor configuration, poor encryption, ransomware, phishing zero-day attacks or vulnerabilities that haven't been patched, brute force SQL injection, Distributed Denial of Service, trojans, cross-site scripting, session hijacking, man-in-the-middle, crypto-jacking, cloud-jacking and supply chain attacks.

The recent Solar Winds supply chain hack targeted its 18,000 customers worldwide. The attack deployed four malware strains across 250 US federal agencies amongst other high-profile victims.


Attack surface: the sum of your different entry points

How large is your attack surface? A few years ago, it averaged five to ten entry points. That average is now between 60 and 100 points, without considering remote workers. In reality,1,000 staff now represent several thousand potential points of compromise.

Your firewall only protects the network perimeter and corporate LAN. Once representing a significant part of your threat protection, when your business operated within the firewall, it now only protects a fraction of your data because conceptually the LAN is dead.

Your business operates in the cloud, your staff are remote, your data is everywhere, flowing through Salesforce, Office 365, Xero or Sage for instance. Every cloud application is now part of your attack surface and requires some protection. They all hold credentials and sensitive data; and they all carry potential weaknesses.


The standard corporate response? Head in the sand

80% of UK businesses say cybersecurity should be a high priority. The same 80%, however, review their cybersecurity approach ‘somewhere between monthly and never’. A good half discuss cybersecurity on less than a quarterly basis*.

Only 20% receive the recommended daily or weekly updates on cybersecurity strategy and tasks.

If your water supply sprung a leak or your electricity went off, you’d deal with it immediately. Your data flow is equally critical, and a disruption costs a great deal more to fix than a broken pipe.

Cyberattacks and data theft have featured on the 10 global risks faced by businesses for five years, according to the World Economic Forum. Proving the reality of this threat, 46% of UK businesses reported breaches last year, with 39% suffering significant impact.

This demonstrates a massive disconnect between understanding the need and addressing it. Is it fear? Lack of knowledge or understanding? Whatever the reason, cyber is not making the board agenda.


Budget for security or breach; you’ll pay for one of them

What is your security budget? If you don’t have one, you’re going to need a recovery budget because the odds are, you’ll pay for one or the other. Recovering your data when you’re breached will probably be much more expensive, and you will have to deal with disruption, potential fines and reputational damage as well.

Prevention is always better than cure. Think of cyber security like locks and alarms on your house: a few hundred pounds to deploy versus time, money and heartache to replace stolen goods. It should be a no-brainer.


Questions for IT

Are we following security frameworks or best practices? What are they?

Are we covering the SANS 20 critical controls?

How are we actively enforcing ISO 27001 or ISO 9001?

How do we plan to anticipate an attack, withstand it, recover from it and evolve, as laid out in the cyber resilience engineering framework?

What is our incident response process? (When Travelex was hacked it took them two days to tell customers and a week for official PR. The attack left customers stranded abroad without money, cost the business $2.3m in bitcoin ransom and put the £1.3b business into administration.)

What does our cyber insurance cover? Are there specific tools and protocols we need to have in place for the insurance to pay out?

As always, the answers require evidence & documentation.


* 2020 UK Cyber Security Breaches Survey conducted by Gov.UK.

This article was originally published in Platinum Business Magazine


Cyber Resilience Engineering vs the Annual Penetration Test