Cybersecurity is often seen as a grudge purchase – but it’s one that organisations have to make if they don’t want to find themselves battling the financial losses and reputational fallout of an attack that is almost certain to come.
Research points to the fact that attacks are almost inevitable – but companies are still not entirely sure what they should be doing in mitigation.
Carey van Vlaanderen, CEO of Eset South Africa, points out that a recent 2019 Global Cyber Risk Perception Survey by Microsoft and Marsh showed that 79% of companies have made cybersecurity their top-tier priority.
However, the y are quite unsure as to how to best address the issue – and almost a quarter of them had “no confidence” in responding to and recovering from cyberattacks.
The general decline in confidence from the 2017 edition of the same survey affects other key areas of cyber-resilience, such as preventing cyberthreats or even assessing and understanding them, Van Vlaanderen says.
Companies that aim to keep up with the ever-evolving world also need to adopt new technologies. That said, they often lack confidence in their ability to secure these technologies, which can handicap them in such endeavours.
A total of 74% of organisations evaluate risks in some way prior to adopting new technology, while 54% assess them after adopting them.
While that might sound reassuring to a certain extent, the reality is a bit different, she adds, as only 36% of the organisations asked, evaluate the risks both before and after the adoption of new technologies. A mere 5% evaluate risks at all stages, whereas 11% don’t evaluate them at all.
“It is no surprise then that the potential risks involved may dissuade some organisations from adopting emerging technologies, the reason being that the risks outweigh the potential benefits. According to the survey that happens in 23% of the cases.”
The issue of trust between companies and third-party providers is a big one. Certain levels of trust among these parties are indeed standard, with 32% of the survey’s participants claiming to trust the vendors to take the necessary steps to secure their products.
On the other hand, 40% of the respondents are proponents of the trust-but-verify approach where they do not accept the security claims of the providers. Instead, they always take the necessary precautions and conduct their own due diligence.
“Even though more and more companies are starting to approach cybersecurity as a top-tier issue, there is still a great disparity between how cybersecurity is perceived and how it is approached in practice,” Van Vlaanderen says. “These numbers provide a narrative where a large percentage of companies are not sure about how to deal with cybersecurity, and we can go as far as saying that many of them underestimate it.
“By extension, it can be safely assumed that many organisations across the world have yet to ensure they’re well-equipped to counter the growing cybersecurity threats.”
Steve Quane, executive vice-president: network defense at Trend Micro, believes the issue for organisations could be bigger than we think as cyber criminals are quickly becoming more sophisticated.
“One of the interesting things we have noticed over the last year has been the flight to quality from hackers,” he says.
“The number of attacks has decreased, but the effectiveness and impact has gone up. We have seen a consolidation of attack attempts into much more effective vectors.”
Social engineering is making a comeback, with targeted phishing new being carried out on both C-suite executives and the people lower down the organisational structure, who report into the decision-makers.
Automation is making the cyber criminals more efficient and effective than ever, Quane adds.
“They are mission experts and are automating everything – even the social engineering – to the extent that they can now do more than humans ever could.”
Quane is grudgingly admiring of the technical expertise that hackers have demonstrated, and their ability to launch high-quality automated attacks.
The security industry isn’t sitting on its hands while the hackers have it all their own way, however.
“Can we stop the hackers?” asks Quane. “No we can’t stop them all – but we can reduce the odds. This is why more people are moving to detect and response.”
It’s impossible to have 100% effectiveness with prevention, so organisations have to augment prevention with more investigative techniques, he says.
With a current global shortage of about 3-milion security professionals, the industry is quickly turning automation to the good.
New solutions that automate the detect and response function are helping to blunt the damage from successful attacks, Quane points out.
Many security companies are also offering detect and response as a managed service, helping organisations to obviate the lack of skills.
A less high-tech way that organisations can use to safeguard themselves against attack is basic patching, Quane adds.
A lot of the current ransomware attacks would not have happened at all if the companies had applied patches that were freely available.
Linsay Narayanan, security solutions business unit manager at Westcon-Comstor Sub-Saharan Africa, points out that the increasing rate of attacks – and the damage they cause – is putting CIOs and chief information security officers (CISOs) under more pressure than ever.
But they have to balance security with usability – a feat that isn’t always easy to achieve.
“We are seeing more of a security focus amongst businesses across the continent that in itself speaks to a positive shift towards a change in culture,” she says. “You can’t shut people out of your systems for the sake of security – this is also a risk.
“This could lead to you being a less desirable employee at the end of the day. But you can get people to buy into a culture if they feel it is all part of a greater good or if you make them understand it will hurt them personally.”
Making sure employees – however they access the systems – are compliant helps to lessen the risk, Narayanan adds.
“There is an emphasis on staying up to date. A lot of businesses now have security teams whose only function is to ensure the security policies and solutions are up to scratch – it is a good model and more companies should embrace it.”
Security has become more complex because the IT systems now reach well beyond the core, to the edge and via the cloud.
“Security has to be everywhere and it needs to be layered,” Narayanan says. “The days of defining a security policy for each aspect of the business is long gone.
“Policy-makers need to get a full view of all of the businesses assets, they need to be willing to use modern technology to support their security investments (ML and AI), they need to connect their security solutions, they need to constantly train and educate and lastly they need to put in proper response and mitigation procedures.
“In short, security policies can’t be linear. But they also can’t be old-fashioned.”
When a company is attacked, the level of damage will probably depend on how it reacts.
“As we add more devices to our lives and businesses start using IoT more and start to bring in the intelligent edge – we are widening the attack surface for hackers. Security professionals have to start thinking for their users – mapping behaviour and looking at new security products that work with behaviour and not just code.
“Artificial intelligence (AI) and machine learning (ML) in security is growing for this very reason. It puts the power back in the hands of the user.
“It also needs to become a board problem. Companies that leave it to the IT department to report on and fix are in a lot of trouble if they don’t bring the security problem to pride of place at the boardroom table.”
A good way to mitigate risks is to ensure that data is always backed up and available in case of a security breach.
According to the 2019 Veeam Cloud Data Management Report, organisations will typically invest R600-million this year in technologies such as the cloud, big data, artificial intelligence (AI), and the Internet of Things (IoT) to drive business success.
In addition, almost half of the respondents admitted that data protection is imperative to leverage these investments.
“Alarmingly, only 37% of businesses are very confident in their current backup solutions, with the majority (73%) admitting that they cannot meet current user demands,” says Kate Mollett, regional manager for Africa at Veeam. “This inhibits the adoption of tools and processes that can drive business advantage.
“Fortunately, decision-makers realise that work needs to be done and are looking at deploying better data management and multi-cloud solutions across their business.”
Considering that the average cost in time to resolve a malicious insiders attack is 51 days, can a business really afford not to take protecting its data seriously? On the positive side, Mollett says the introduction of legislation such as the General Data Protection Regulation (GDPR) and Protection of Personal Information Act (POPIA), has meant local organisations are more aware of the implications and taking data breaches more seriously.
“This is not only in terms of the business impact, but also the reputational damage, and loss of consumer confidence as a result. And, depending on the nature of the breach, fines associated with compliance and regulatory standards can be significant.
“Companies are very focused on securing their business, becoming more open with how they approach technology solutions, and partnering with other organisations. But as they expand their digital horizons, so too does the potential threat landscape,” she says.
Companies need well thought-out security strategies to protect both their users and data assets. Certainly, technological advances like the cloud and IoT are bringing about a change in how people do business, but this must happen in a secure and compliant way.
“This has seen a change in data management strategies today. Attacks can also be internal – think disgruntled employees, intentional hacks by cyber criminals, or plain human error. In fact, most data breaches are due to people unwillingly or unknowingly sharing company information. This is why phishing is still a massively successful way of gaining entry into an organisation,” she adds.
According to Mollett, technology has a huge role to play in building automated best practices around how data is managed in the organisation.
“Not only must the nature of data be understood and its availability realised, but those who need access to it must also be clearly defined. There will always be a possibility of human error. Of course, user awareness and education campaigns are vital to mitigate against this. Even then, there will always be really sophisticated cyber threats that even specialists might not be aware of. Therefore, the tools we use for data management must continually evolve to protect the organisation and its data.”