I was recently asked how we can demonstrate the value of strong cybersecurity management, and why an organisation should continue to invest, when they are not witnessing any successful attacks.
These are great questions and something that comes up regularly, so today I will explain how I address these concerns.
First, let’s look at the value of a strong cybersecurity management framework. Defending against threat actors is now part of everyday life for administrators, and it’s critical to budget for cybersecurity. Often customers only see the anticipated financial impact once they have been breached, but unfortunately this is only part of the problem:
- The financial impact is likely to be huge as it’s very likely your business will either be completely down, or severely impaired by the attack.
- Customers regularly fail to have implemented a robust business continuity plan and have nothing to failover to or restore from. The time it takes to restore from backups or rebuild from scratch tends to be completely overlooked. From experience I can tell you this always takes substantially longer than expected, and there is almost always a gap in the protection. This means that even after a successful restoration from backup, something will be missing. I strongly advise investing time into a business continuity plan, reviewing it regularly, and testing it.
- Whilst your organisation’s operational capacity is reduced you will still need to pay your employees, even though they cannot be as productive as they should be due to the outage. A breach often demonstrates that an organisation is not prepared for remote working or has no fault tolerance for critical systems. As I’ve previously discussed, organisations should take stock of their assets and identify single points of failure with the aim to remediate this issue.
- Not all attacks are intended to cause an outage to your business. Sophisticated threat actors can perform an attack with the intent of exfiltrating your intellectual property to then sell on to your competition, or leverage as ransom before they leak the data on the Dark Web. We are witnessing this type of attack more frequently. Yes, you may not pay to decrypt your files in the event of a ransomware attack, as you have robust backups to restore from. However, the attacker may well still hold you to ransom using the afore mentioned technique.
- Attacks targeting OT and IoT networks are on the rise. These attacks tend to be driven with the intent of causing physical harm by circumventing or overriding security controls. There is no way to recover from this if the attack succeeds.
- The damage caused to an organisation’s reputation is immeasurable. You may not have been financially impacted by an attack, but if your customers find out their data has been leaked on the Dark Web due to a breach in your organisation who are they likely to blame? I can tell you that it’s rarely the threat actor!
- If a threat actor has accessed Personally Identifiable Information, you are required by law to submit the breach to the Information Commissioner’s Office (ICO), else you will incur substantial fines. This process is very costly in terms of effort and time. You will also be required to contact anyone whose data has been accessed, again, damaging your organisation’s reputation.
If, after discussing the above points the decision maker still can’t see why investing in a strong, managed cybersecurity framework is critical, then I will show them the various vendors attack reports. These are independent research papers that detail the threat landscape, and provide real world data about the impact of these attacks:
Microsoft Digital Defence Report
CrowdStrike Global Threat Report
Lastly, why should an organisation continue to invest when they are not witnessing any successful attacks? There are many reasons to continue to invest and build on your cybersecurity posture:
- Threat actors are becoming more and more sophisticated.
- Whilst nation-state attackers may not attack you directly, the tooling they use can often be purchased on the Dark Web.
- Cyber-attacks-as-a-service are real. The extent of the cyber-crime networks are often unknown to customers. Cyber-criminals have vast funding and infrastructure and are run in the same way as most businesses. This enables them to offer off-the-shelf attacks with fully manned support teams to assist should the attack fail. This sounds farfetched but is very real.
- Keeping up with zero-day and emerging threats requires constant investment in threat intelligence and a team to be able to implement the counter measures.
- Threat actors do not operate exclusively during your business hours. Bad actors are clever and invest heavily in researching your organisation. They will know what hours your administrators are likely to work and will target their attacks to suit.
- Insider risk is a very real problem. No one wants to think their colleagues cannot be trusted, but unfortunately this is becoming a more common threat.
- Organisations that state they have never been breached or never had a cyber-attack almost certainly have – they just don’t know it!
By Shawn Wilkin, Technical Lead: Security at Transparity
At Transparity, we also offer a Managed Security Service that is built on three core security principles; Zero Trust (never trust, always verify), Least Privilege (provide only the access required, and only for the duration needed) and Assume Breach (always assume users or systems will fail). Click here to find out more about our Managed Security Service.