The majority of businesses are now very much aware of the threat of cyberattacks, and the damage they can cause. These threats include nation state actors targeting big multinational enterprises – recent research revealed that 8,000 of Microsoft’s enterprise customers were targeted by nation state actors in the last year alone. The threat landscape also incorporates SMEs. The Federation of Small Businesses recently found that such firms in the UK are collectively subject to almost 10,000 cyberattacks a day, at an estimated annual cost to this community of £4.5 billion.
Businesses are also aware of the need to invest in protecting their IT systems against such attacks. Companies globally are expected to increase cybersecurity spend by over a third in the next fiscal year, having boosted investment by 17% the previous year, according to one estimate.
However, whilst business leaders and heads of IT know that the threats are very real – and very damaging – many lack comprehensive knowledge of their company’s attack surface. Digital infrastructures are complex, comprising numerous components, end-points, cloud-based platforms, and software apps. These are used by numerous employees in different locations and with differing levels of rights access. Visibility into every aspect of this landscape is crucial, and must include insight into every endpoint and the behaviour of every user connected to a network.
Wielding cyber intelligence
Vulnerabilities must be detected in near real time, and resources readily available to address and remove these before they have a chance to do further damage to a network. Skills and education are also required, in order for personnel across an entire organisation to really understand how to access and use ‘cyber intelligence’ and wield this effectively to best protect their business.
SMEs may find this a tough ask. Few business leaders are blessed with unlimited funds to throw at cybersecurity, so building up an in-house army of cybersecurity pros who can work continuously to monitor, assess, protect, detect and respond to threats, is rarely a realistic option. This is an issue we’ll address later. First, let’s return to the challenge of the complex, ever-growing (and often pretty murky) attack surface many companies must govern.
Bring your own device – and widen your attack surface
Digital transformation, the IoT, migration to the cloud, AI, big data and remote working have all contributed to hugely complex IT infrastructures. The fact that employees are no longer accessing networks and data on-premise has compounded this issue. The bring-your-own-device (BYOD) market, for example, will be worth an estimated $366 billion by 2022, and it’s easy to see why. The nature of the workplace is changing, with more of us working remotely and with multiple devices. To successfully evolve, businesses must support this shift for the benefit of their employees and themselves; Cisco has reported that organisations with a BYOD policy in place save an average of $350 per year per employee.
However, this trend has also upped the risk of hackers breaching network defences and gaining access to IT infrastructure, and (hugely valuable) data. As the number of endpoints connected to a network increases, so too does the size of the threat landscape. The most straightforward way for a hacker to infect a network with ransomware, to steal data, or to cryptojack an employee’s device to secretly mine cryptocurrency, is via a connected endpoint. Whether it’s a FTSE 100-listed global mega-corporation, or a tiny start-up at a WeWork desk: all organisations have one thing in common. Endpoints are managed – and sometimes owned – by the weakest link in the corporate chain: employees. One 2018 report found that a massive 90% of organisations are vulnerable to insider threats, and more than half have experienced an insider attack in the last year alone.
Even if an organisation does not have a BYOD policy in place, its network will likely still incorporate numerous connected devices. Many IoT devices do not have adequate in-built security, and even if this is embedded when a device is added to a network, maintaining high levels of security on an ongoing basis remains a challenge. Unlike other connected endpoints, IoT devices are not easy to patch: imagine the difficulty in patching a connected medical device like a pacemaker, for instance.
IoT and security debt
All businesses must make trade-offs with security, including making decisions based around the value of assets versus the cost of securing them or the cost of the risk to an organisation – something we’ve termed ‘security debt’. Every time a device manufacturer takes a shortcut to save money or time, there is debt accrued in association with that particular device. This is inevitable in order to keep costs down, but when someone then buys that device type, they inherit the debt that the manufacturer gained, and eventually, with many thousands of devices being bought, this becomes unmanageable. As a result of the low costs of producing IoT devices and their low retail value, the amount of debt relevant to that device can escalate very quickly. In order to combat this, businesses investing in IoT devices need to find out the manufacturing habits of sellers, the quality of devices, and whether they adhere to certain standards. The solution? Again, it comes down to knowing every aspect of network and business operations, including weak points in supply chains or distribution channels, which could offer attackers a chance to sneak in by the backdoor.
The device is not the only area of security which must be monitored, assessed, protected and managed on a continuous basis. The platform which connects all these devices is also a potential attack point for a hacker. Enterprise cloud service providers may have potential buyers convinced that these environments are super secure and super-easy to secure – but that’s rarely the case. They’re complex and, especially for businesses with limited resources, can be difficult to manage. Amazon, for instance, allows its enterprise cloud ecosystem customers to set 2,700 user permissions – that’s a lot of variables to manage, and most business users don’t fully understand how it all works.
With so much data storage and such frequent network access performed off-premise, simply bordering applications and hardware using firewalls and the like is akin to protecting the crown jewels with a garden fence. Hackers can jump over, go through and break down these defences by exploiting endpoints and external network connections. To achieve the robust Tower of London-esque protection that’s needed, businesses must move away from the idea of perimeter security. Instead, they must first gain a complete view of the network infrastructure making up their threat landscape, and use this as the starting point for any new cybersecurity strategy.
Protecting the crown jewels is everyone’s business
The finger of blame cannot be pointed solely at those employees who fail to follow security best practice. IT managers and decision makers must also take responsibility for enforcing security protocols and having complete, continuous visibility into the entirety of their network infrastructure.
Fortunately, these functions don’t have to be conducted in-house. Not all businesses have the resources, knowledge base and solutions required to gain this insight. The solution is simple: outsource to those who do. SecureData offers a managed service for network access, and today, many of our customers are benefitting from network monitoring, help desk support, checking and updating of security systems, and deployment of patches, updates and upgrades to device-specific software, around the clock. As a result, these IT teams are also benefiting from an ability to focus on business-critical work, free from the constraints of continuous, proactive application monitoring.
A business can be resource-rich or scrambling for time and finances. Yet without a shift in mindset, its network will remain unsecured and complex to manage. All organisations must recognise cybersecurity as an ongoing process of assessing, protecting, detecting and responding to evolving threats, and all must adopt a proactive approach to knowing and hardening network systems. This isn’t an IT team issue – it must be prioritised at board level. I’m sure all CEOs know the level of damage and the need for investment in cybersecurity systems, but you can’t protect what you don’t know. Knowledge is power!