As the goal posts of what it means to be (and remain) ‘cyber secure’ constantly change, one thing stays constant: all organizations are viable targets for cybercriminals. It doesn’t matter whether you’re a large enterprise business, startup, or a government department, the challenges of cybersecurity remain relatively similar for all – and it’s getting harder to protect organizations thoroughly from new and increasingly voluminous threats. The complexity of cyber environments may present several issues for an organization, but the solution hasn’t necessarily changed.
For one thing, we need clear reporting. Setting clear reporting lines that have been trialled and approved by the NCSC (National Cyber Security Centre) remains the most effective solution to the ongoing problem of cybersecurity. As cybersecurity becomes increasingly complex, keeping cyber policies simple and transparent might just be the best course of action. A recent report from the National Audit Office (NAO) claimed that the UK government is far behind on its targets to improve cybersecurity and has stated that the threat to the UK government is “severe and advancing quickly”. This leaves us with one big question: Is the complexity of cybersecurity making it almost impossible to remain secure?
Increased Complexity for Growing Organizations
Within organizations today, we take for granted the ability to host video calls with our colleagues on the other side of the world, to live edit a document between teams, to build a proposal document in the cloud and to access to data at any time, in any location. Yes, we all recognize this world, but we think very little about it. It’s easy to forget that there is a network connecting all our devices, all the applications on those devices, all the internal and external networks we use to allow us to continue with our connected life.
For the CISO, the problem grows and grows as the business extends to multiple countries with thousands of employees, many of whom bring their own devices to work, like their personal phone or tablet. Recent research has shown, worryingly, that half of IT professionals acknowledge the likelihood that there are devices connected to their company network that they don’t know about. Now imagine that just one insecure device can give hackers the key to your entire network – a troublesome, but very possible image.
If you think of an enterprise company, in over 130 countries and hundreds of employees in each country with thousands of devices, the security issues seem unmanageable. For each connection to the internet, be it a printer, a mobile or anything else, there will be an IP address. This is what’s referred to as an ‘attack surface’ and this could encompass thousands of endpoints. Being able to monitor or scan that attack surface is one thing, being able to report on it is quite another.
For government, and by definition government departments, the problems appear to be simpatico with the structures of commercial enterprise. Many people, in many geographies, share data in cloud applications, bringing their own devices and with multiple domain names and derivations of domains.
On first consideration the problem seems enormous, but, with a little investigation, it seems the NCSC are working with a number of parties to look at how this can be resolved. What is emerging is not the ability to scan all of these connections to the internet, but how to report them. But to understand why organizations are being targeted more frequently, we must get into the mind of a hacker and understand the evolving ways that hackers are targeting organizations.
Increased Complexity of Cyber Criminals
Under the constant barrage of news reports on cybercrime, it seems that there are threats at every turn of modern life. Statistics, for example half of businesses in 2024 reportedly suffered from a security breach or attack, paint a worrying picture – and it doesn’t look like it will get better anytime soon.
It’s clear that whether we like it or not, there is a war being waged by cybercriminals on organizations in both the public and private sector. Following the scent of money, notoriety and power, criminal gangs have, in turn, evolved and organized in a way that reflects many large corporations.
We often think of the stereotypical image of a cyber attacker working alone from their bedroom, but this is becoming less common. Instead, attackers are operating in a similar way to the organizations they are aiming to breach, making defending yourself that much more difficult. Whilst cybercriminals attempt to mirror the structure of organisations, they also mirror their goal of making money.
That’s why, as we’ve seen over the past year with gangs like LockBit, when a ransomware gang is taken down, they’re quick to pop up again elsewhere. These enterprises are too lucrative to give up. With this in mind, the recent proposed ban on public sector ransomware payments by the UK government could be an effective way of deterring cyber criminals and, if so, could become the norm for all organizations in the UK.
How to Cut Through the Complexity
Scanning for cybersecurity vulnerabilities within an organization simply isn’t enough anymore to counter threats. In a dynamic world, the snapshot PDF report that many IT teams are used to receiving simply won’t cut it. Being able to view all of your assets in real time, knowing what is behind those assets and being able to tag or label them appropriately is key for organizations. Then being able to sort those findings into the most critical, know who owns them and what needs to be done gets you a long way to closing off a vulnerability.
Every organization has different reporting structures, varying levels of knowledge on their assets and complexity of their own making. This is where an ‘Attack Surface Management Tool’ is vital in helping organizations and departments within those organizations to report their attack surface and their vulnerabilities in a way that is meaningful and timely for them.
Taking Action
Whilst there may be inertia within our private and public sectors on addressing cybersecurity postures, it is also clear that there is the expertise and a growing industry to keep us all secure. Organizations within the private and public sector need to take responsibility proactively to avoid becoming a prime target for cybercriminals. One thing’s for certain; attack surface monitoring is as important as a fire alarm within a business: until you need it, no one notices if you have it or not.
Elliott is a technologist with over 15 years of experience in some of the largest and most complex organisations in the world. He has led large technology efforts across the globe in Europe, Africa, the Middle East, and the US. He’s served as an advisor and technology leader at the White House, US Department of State, the US Department of Defense, United Nations, and UK Ministry of Defence, among others. Most recently, he’s been an advisor on cyber security at some of the highest levels of the US and British military and civilian leadership.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.