Outrunning the bear

It won’t happen to us. If ever there’s a text-book example of giving a hostage to fortune, then these five fateful words are it. Fact is, if it hasn’t already happened, every company will suffer a cyber attack, and probably sooner rather than later.

According to the Cyber Security Breaches Survey 2018, seven in ten large businesses reported a data breach or attack on their systems over the past twelve months.

“For many enterprises penetration testing once a year is simply inadequate…”

A successful attack can bring down even the most robust of companies.

It’s not good for a business to have to admit that it got caught with its IT pants down. Even though they have been targeted, some companies are able to avoid breaches becoming common knowledge. However, when consumers are affected, disclosure of a breach is often unavoidable, as attacks on TalkTalk, the NHS, Maersk, Ticketmaster, Equifax and now British Airways show.

The financial cost of disinfecting systems and plugging the security holes exposed by a breach can be significant, but they are likely to pale into relative insignificance against the fines levied under the newly-in-force General Data Protection Regulation (GDPR) if a breach is proven to have been the result of inadequate defences and policies. Add to that the damage to customer confidence and the resultant loss of revenues, and a successful attack can create a perfect storm that brings down even the most robust and long-established of companies.

Cyber crime cost UK business £21 billion in 2017

What’s the problem?

Chief Information Security Officers need no lectures on these risks; they are paid to inoculate their companies against such events.

The problem many CISOs have is carrying boardroom colleagues along with them on the journey of understanding the threats, and agreeing to mitigate effectively against them. Inevitably the discussion turns to money and then the push-backs begin.

Part of the problem is that cyber crime and the broader cyber security ladnscape is dynamic. Not only does the nature of the threat change constantly as perpetrators latch on to new techniques or turn their attention to newly-found weaknesses, but in dynamic enterprises systems are in a constant state of change too. A business might ask itself the question ‘how vulnerable are we?’

Whether the answer comes from a box-ticking exercise, or on a robust set of pen tests, by default it can only be truthful for a moment in time. In week one of the year it might be accurate; by week two be misleadingly and dangerously comforting.

A business might ask itself the question ‘how vulnerable are we?

Most organisations, large or small, are unable to address the basics of cyber security:

  • Pen testing doesn’t scale, is poor value
  • Most are unaware of security posture, unable to effectively patch or configure their networks
  • They are often caught out by common forms of commodity cyber crime
  • Common forms of cyber attacks account for around 80% of economic impact

Large organisation are unable to address third-party cyber security risks:

  • Targeted cyber attacks typically emanate from subsidiaries, suppliers, partners and customers
  • Common cyber attacks against third parties causes business interruption for large organisations
  • Audits are costly and impractical, lack objectivity and accuracy
  • Organisations lack the empirical data to make third-party risk management decisions

Accurate evaluation of risk is essential.

As a telco, Gamma’s job is to enable customers to communicate securely and reliably. We therefore take the process of evaluation and mitigation of risk in our network and our internal systems to a level that might be regarded as extreme by many people.

But, as Gamma CISO Brian Mulligan observes: “The level of risk is quite different for enterprises operating in most other sectors, and boards need to keep in mind that spend on evaluation and mitigation, even with the advent of GDPR, is required to be proportionate.”

Mulligan agrees with the notion that, for many enterprises, once a year pen testing is simply inadequate, either to ensure that systems and data are appropriately protected or to demonstrate to the Information Commissioner that proportionate evaluation and protection measures had been taken.

However, with the advent of automated pen testing tools such as CyberScore from Gamma, companies can afford to carry out regular comprehensive testing.

That in turn enables properly informed evaluation of threats and weaknesses to be made, and defences against the prevailing threats to be kept not just fully up to date, but verifiably up to date.

In 2016 UK businesses suffered 2.4 million successful breaches

Most malware and other attacks are people using old technology to look for the low hanging fruit; companies that are vulnerable because they haven’t done the basics. If you have, they’ll move on somewhere else.

Automated tools can be a huge help to:

  • Get leadership on board.
  • Establish a proper cyber-aware culture throughout an organisation.

And if the ICO do come knocking at your door, you will be able to clearly demonstrate that your organisation has taken steps to improve security, and that you’ve not been sitting on your laurels.

That in turn will inspire trust amongst your employees, suppliers, and, most importantly, your customers.

Mulligan explains you don’t have to outrun the bear, but only run faster than the guy next to you.