How businesses can improve their cyber resilience [Q&A]
Governments are keen for enterprises to improve their cyber resilience, but research from Skurio finds just under half of private and public sector organisations surveyed say that lack of resources and in-house expertise prevent their organisation from keeping up with and protecting against new cyber threats.
We talked to Jeremy Hendy, CEO of Skurio, about the barriers to businesses becoming more cyber resilient and the calls to action for C-suite, info-security departments, and the industry
BN: What is preventing more businesses from becoming cyber resilient?
JH: Skurio's recent research among small to medium sized UK businesses identified that insufficient budget, staff resources, and lack of in-house expertise prevent businesses from keeping up with and protecting against new cyber threats. At the other end of the scale, around one in five businesses would need greater awareness about the benefits of digital risk protection (DRP) or reasons why they need it before making an investment. Over 60 percent of organizations plan to introduce a dedicated DRP solution in 2022 or bolster existing capabilities.
Another issue the research identified is that, whilst most businesses now have some form of digital risk protection (DRP) in place, this is typically delivered via supplementary features in solutions such as Microsoft 365, password management and antivirus software. Many admit they are still vulnerable to attacks. 60 percent of organizations cited they are not well or fully protected against threats from data breaches, malicious domains, supply chain risks and intellectual property attacks.
Firewalls, spam filters, and anti-virus software can't provide sufficient protection to defend businesses against all cyber security attacks. Even if these defenses are watertight, any organization is still at risk from supply chain attacks or data breaches from third-party apps and 'shadow IT' that employees routinely use. Businesses also struggle to prioritize software and firmware upgrades because releases are more frequent these days. And, no matter how diligent security teams are, they are also reliant on their partners to keep up to date.
BN: What are businesses' biggest cybersecurity concerns?
JH: The most pressing raised in the research were:
- Network attacks
- Data breaches from the organization's own network and staff
- Data breaches from third-party suppliers
Skurio's study highlighted that, despite concerns about ransomware attacks, their primary concern was to prevent the types of threats that could lead to a ransomware attack in the first place.
But businesses 'don't know what they don't know'. The reality is cybercrime activity across the surface, deep and Dark Web is escalating. Customer and company data, personal profiles and passwords are becoming the most sought-after goods on Dark Web forums. Ransomware attacks are routinely involving 'double-extortion' techniques, where data is stolen and potentially exposed regardless of whether a ransom is paid.
The upsurge in malicious domains -- fake web addresses that impersonate another brand or business -- is relentless, with consumers routinely tricked into believing they're in contact with a genuine brand or organization, only to discover that the goods and services are fake, their personal data has been stolen, or their device has been exposed to malware. Inevitably, we have also seen an increase in third-party breaches due to more complex digital supply chains.
BN: What are the calls to action for the C-suite?
JH: It is essential that business owners and the Board understand the fast-evolving cyber threat landscape. They need to be educated, look at different ways to educate employees and provide specialist training for the IT and Info Security departments.
An organization's cybersecurity strategy must be top of the agenda -- I know from conversations with those working in info security and IT departments, that a perennial struggle is getting the right support and buy-in for cybersecurity from the executive board.
BN: What practical steps can businesses take to mitigate risk?
JH: As a starting point, employees and contractors should have strong, unique passwords for each application -- ideally using a password management tool. Also, organizations should Use Multi-Factor Authentication (MFA) wherever possible to avoid unauthorized system access. If you don't, it's easier for cybercriminals to gain access to your data and the apps you use. Once they have a username and password, every transaction will be treated as valid and usual security measures can’t prevent it.
Timely updates of security patches on computers are becoming even more crucial to protect systems. This is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cyber security threats.
It's critical that businesses are aware of Dark Web threats. One way to do this is by introducing a Dark Web monitoring service through a managed service provider or specialist solution. This will alert you if your data is offered for sale or your business is mentioned by hackers or ransomware gangs. Using an automated tool is the safest, most efficient way to do this. Manual research requires skilled and experienced staff and runs the danger of detection by criminals or inadvertently downloading malware.
Other measures include being proactive to identify fraudulent web addresses mimicking your corporate sites. If a suspicious domain is identified, you will need to establish if a website or mail service has been set up. The domain can be used for phishing campaigns even if no site is present. Takedowns can be a challenge because scammers use privacy regulations to retain anonymity and removals require justification; typically using a trademark or copyright infringement, or evidence of illegal activity. Using a specialist takedown service is advisable.
BN: What can organizations do to mitigate risk against third-party breaches?
JH: Early detection of breached customer data is critical when using third-party suppliers, because data protection remains your responsibility. You should continuously monitor for your data appearing outside your company’s network. Ensure third-party network access is restricted to the minimum necessary for their role, which will limit the damage an attacker can do by compromising them. Strict processes should be in place around sending sensitive files externally to reduce the risk of copied datasets being leaked.
BN: What is the call to action for the industry?
JH: The digitization of domain registration has removed friction from the process and organizations can now purchase domains, hosting and email services quickly and efficiently. But it is just as easy for criminals to do the same. And they can hide behind GDPR and crypto payments to protect their anonymity. Better regulation is required to prevent scammers from using these facilities at the expense of legitimate businesses and their customers. That said, it would require nothing less than international cooperation at the highest levels to put new regulations in place. With no changes in sight for the near future, we would encourage service providers to introduce their own best practice measures to prevent the registration of malicious domains and improve their response to requests for justified takedowns -- a process which is all too often protracted and difficult. Keeping a track of individuals or organizations that have had takedowns successfully enacted on their domains, could prevent them from continuing the practice.
The same goes for providers of social media platforms and advertising services -- preventing fraud and scams by denying criminals the ability to set up accounts and fraudulently advertise must be a priority too.