The Government has released a survey detailing business action on cyber security and the costs and impacts of cyber breaches and attacks. This comes hot on the heels of yesterday’s report on cyber attacks from the British Chamber of Commerce. IT security experts from Cylance, Imperva, FireMon, Synack, Lastline, Corero Network Security, Tripwire, NuData Security, Digital Guardian and Bitglass commented below.
Anton Grashion, Managing Director-Security Practice at Cylance:
“This is probably an underestimate if anything. Two reasons for this, firstly, this assumes they even know they have been hit, secondly people are more likely to under-report. Evidence of our testing when we run a POC with prospective customers is that we almost invariably discover active malware on their systems so it’s the unconscious acceptance of risk that plagues both large and small businesses.”
Amichai Shulman, CTO and Co-Founder at Imperva:
“Our experience show that 100% of businesses are under attack. With 20% of companies being breached while only 24% believe they have proper security stance we can only repeat the cliché that there are two types of business those that have been breached and those that don’t know that they have been breached yet.”
Paul Calatayud, Chief Technology Officer at FireMon:
“When reflecting on the statistic that one of five British business have been hacked by cyber criminals I immediately think to myself, this is only the tip of the iceberg. As a cyber defender my entire career, this static tells me half the story given that half of those that were surveyed and responded with the belief they were not hacked simply are not aware that they may have been hacked and were never aware. This can be supported a number of ways but one alarming statistic is that the average hack usually is not detected for longer than 209 days.
British business need to realise there is an entire global cyber criminal economy that out earns the illegal drug industry in terms of revenue. And as such, cyber programs need to wake up and adapt into a detect and response approach that places equal investments in prevention as it does detection of hackers.”
Phong Le, manager at Synack:
“Businesses shouldn’t rely too much on IT providers in resolving their security issues. Executives at the top need to stop outsourcing security risk to the IT department. The good news is that we’re starting to see business leaders being held accountable for data breaches. Negligence hurts compensation. Negligence also cripples business earnings. Although regulations like GDPR are a step in the right direction, let’s not make the mistake of being compliant for compliance sake. Leaders need to do WHATEVER IT TAKES to avoid security down time because in the end, it hurts the bottom line.”
Marco Cova, Senior Security Researcher at Lastline:
“Though the area of cyber security is vast, there are some low hanging fruit that we still see neglected even in some of the largest of companies.
- Companies should help customers enforce safe password practices
- Companies should keep customer credentials safely encrypted such that if they are compromised at some point, the damage to their customers is at a minimum, whether that threat comes from the inside or the outside of the organisation
- Remaining vigilant in enterprise-wide patch management to keep all application and operating system patches up to date is crucial
Companies should also ensure a comprehensive malware defence strategy which uses behavioural analysis of files versus the first-generation method of signature-based identification. Signature or hash based identification is becoming obsolete by the malware development community’s ability to iterate on variants faster than the malware databases can keep up. These new innovations in malware allow this environment-aware code to lay in waiting for long periods of time, within the enterprise, until such time as the attack sequence is optimal. This single trend changes everything.”
Stephanie Weagle, VP at Corero Network Security:
“Attackers will always find new exploits, and new attack methods of disrupting financial opportunity, extortion, accessing personally identifiable data, and disrupting an organisations online availability. Cyber-attack activity is prevalent today, more than ever – especially when it comes to DDoS attacks.
“While the Internet has been fighting off DDoS attacks for over a decade, these denial of service attacks are taking centre stage as the techniques have become much more sophisticated in nature. Coupled with the ease of securing DDoS-for-hire services, access to massive botnets, and unlimited motivations we are seeing a far more dangerous concoction of attacks taking down major institutions.
“This elevation of risk comes at a time when DDoS attacks continue to increase in frequency, scale and sophistication over the last year. 31 percent of IT security professional and network operators polled in a 2017 survey conducted by Corero experienced more DDoS attacks than usual in recent months, with 40 percent now experiencing attacks on a monthly, weekly or even daily basis. To alleviate this problem, 85 percent are now demanding additional help from their ISPs to block DDoS traffic before it reaches them.
“The biggest DDoS risk factor, which was cited by almost half of the respondents (45 percent), was the potential for loss of customer trust and confidence. Lost revenues were also a serious concern (cited by 17 percent), while malware infection (15 percent) was also seen as a potential problem.”
Paul Edon, Director at Tripwire:
“Many businesses still remain unprepared for a cyber attack because it’s difficult to prepare for something you don’t understand, can’t visualise, and haven’t experienced. The dynamic nature of cyber attacks often makes it hard to pinpoint a root cause, and so executives with a desire to prepare are faced with choices, rather than clear actions to fund.
The top three measures a company can take to mitigate cyber risk are:
- Start by understanding the risk you have. You have to conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. The attackers will be doing the same.
- Don’t ignore the simple, best practices. Keep software up to date, apply security patches, change passwords, and make sure terminated employees and contractors don’t have access. This security hygiene goes a long way to making the attackers’ job more difficult.
- Train your employees on how to recognise a scam. Much of cyber security is about human nature and social engineering. Training must be ongoing because the attackers change their tactics.”
Robert Capps, VP of Business Development at NuData Security:
“It is revealing that the report finds one in five businesses have been hacked, and that only 24 percent have protective measures in place. The inevitable conclusion, even though the correlation isn’t made in this particular report, is that companies are still slow to respond to the risk of cyber attack until it happens, at which point, then they acquire necessary protections. A situation which leaves companies vulnerable and only perpetuates the risk of cybercrime online.
The report indicates that enterprises are more likely to be attacked than SMB’s, yet defines a large company as over 100 employees. Other reports, such as the Symantec’s 2016 Global Threat Report indicate that only 35 percent of cyber attacks target large enterprises over 2500 employees. Whatever the exact breakdown is, SMB’s are typically less prepared than larger enterprises which usually have large fraud and security teams in place. Enterprises present bigger targets and are hit with different sorts of attacks. No matter what their size, all businesses should take note that computer intrusions and hacking are now a fact of life. Small or large, companies should ensure that they have appropriate incident response processes and preventative measures in place and make sure that there are no single points of failure in the response chain. All online businesses should make ensure that an appropriate accounting of actions, impacts, and learnings are provided to senior management, so improvements can be instigated. Poorly managed computer intrusions lead to most unmitigated data theft incidents, such as we’ve seen in recent high profile breaches.”
Thomas Fischer, Global Security Advocate at Digital Guardian:
“This latest government study reflects the difficulty that organisations have in tackling cyber crime. In many cases, firms rush to fix the latest high profile vulnerabilities instead of understanding what the real risk is and looking at where to best use their resources. To stay ahead of the cybercriminals, businesses must prioritise data protection. Too many companies focus on prevention, malware detection and remediation capabilities instead of properly securing the data itself. If companies have the appropriate data protection technology installed in their environment, it can prevent it from being accessed or exfiltrated by malicious attackers.”
Eduard Meelhuysen, Head of EMEA at Bitglass:
“The growing popularity of public cloud applications has fundamentally changed the way many businesses operate, but it has also created a number of previously unseen data security and compliance issues. At the same time, the number of high-profile hacks and the creation of new data-focused regulations like GDPR are putting pressure on enterprises to assess their data protection policies. Today’s study underlines that enterprises that don’t begin to take data protection seriously will inevitably suffer a high cost to their business.”
