1989 was of a year of positive milestones which would have a profound impact on the way we live and work today. The World Wide Web was invented, the Berlin Wall was torn down, and the first GPS satellite went into orbit. However, not everything about the year was a cause for celebration. Alongside these progressive developments was the creation of the world’s first computer worm. Initially crafted to test the size of the internet, the worm spread out of control, causing devastation and alerting businesses to the importance of investment in security products including firewalls. This was the first defensive measure in the cybersecurity industry, and now in 2018, a year plagued by cyber-attacks, it is one of the most basic.
Cyber complacency?
In the past, cyber-attacks used to be so infrequent that hearing about just one breach in the news would be reason enough to invest in protection. Nowadays, not a day goes by without news of another hack being disseminated around the world. The temptation to roll your eyes, say ‘not another one’, and shut your browser is palpable. As human beings, we are adaptable; we learn to cope, learn to get used to things, and become desensitised to events that don’t directly involve us.
But becoming fatigued and showing complacency is one of the most dangerous things we can do. And if we need any more evidence than is already in the public realm, The National Cyber Security Centre’s recent report revealed the sheer scale of the problem, admitting to thwarting around 10 attacks every single week.
Where are we going wrong?
One of the things I’ve noticed in my role is both the chaotic nature of organisations’ cybersecurity strategies and begrudging reluctance towards investment. Of course, security is a broad term – it can encompass anything from continuity and recovery to governance. Yet regardless of the area, the trend remains: even when people are clearly literate on the topic, they aren’t putting the safeguards in place required in this day and age. Alternatively, they introduce adequate security practices when it’s too late and the damage has already been done.
Given the sensitivity of the data they carry, banks and building societies are the anomaly here. However, organisations spanning all other sectors are exhibiting an often shambolic approach to security at best. Some companies are failing to patch their systems, while some employees store important passwords in easily accessible files. I’ve even seen healthcare organisations operating on legacy systems, having no option but to isolate their systems when faced with a breach. Whether it’s cyber criminals or a state-sponsored attack, many businesses aren’t even monitoring their environments for attacks – and this could have serious repercussions.
A lax attitude
Why is it that we just aren’t taking cybersecurity as seriously as we should be? The introduction of GDPR earlier this year had an initial impact on organisations’ attitudes, as it encouraged them to map their data and develop their awareness of risk areas. But improvements are mainly being made in terms of data classification, rather than data protection.
Some organisations don’t have the budget to put the correct measures in place, or rather, they are prioritising spend elsewhere. What’s more, in the hectic world we live and work in, organisations are increasingly time short and allow security to slip down the agenda.
I’ve also noticed businesses over-simplifying their risk assessment process. A large proportion of organisations believe they will be impacted by a cyber threat in the coming year, but understandably also find it difficult to calculate the anticipated financial input and thus determine the value of investing in security controls in the long-term. Security tools don’t provide metrics that help quantify the value they provide.
What steps can organisations take?
There are some very simple, yet imperative steps for businesses to take now.
- Assess your value proposition – what’s the value of the business, and what’s the cost to the business if your systems go down? Organisations need to weigh this up against the probability of them suffering a cyber-attack and match with appropriate cybersecurity spend. A cyber-attack is even more likely than a flood these days, and an upfront investment could save you money (and soften a hit to your reputation) in the long run. Expert advice will be crucial to help you assess the value of each security tool for your business
- Segment your data – by taking the time to segment your networks, applications and data, you can ensure you’re protecting the most sensitive data. Creating a layer between servers containing sensitive data will reduce the risk of data theft
- Monitor your systems – you cannot manage what you aren’t monitoring. Without monitoring every system on which you have data, how can you build adequate systems for your applications? Businesses should regularly monitor their log files, including at app level, to ensure no one is trying to inject commands into their web service
- Invest in incident response plans – it’s not always possible to avoid a data breach, but establishing a clear course of action to mitigate damage in the event of one can help cushion the blow
- Explore your options: From DDoS services to volumetric protection, there are all sorts of cybersecurity options out there. However, consider that there are also free options that won’t break the bank. Some companies run free workshops to educate companies, so monitor what is out there and develop your knowledge
One thing is for certain: cyber breaches in their various forms are not going anywhere. All sectors are vulnerable to attack, yet there are highly transactional groups out there who will have to suffer before addressing their cybersecurity practices. Competition has never been tougher, and investment in cybersecurity is more than just the difference between success and mediocrity – it’s the difference between survival and obsolescence.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.