Cyber crime as a service is the new reality, and businesses need to fight back with better defences. They can start by getting back to basics.
Remote working. Previously unknown exploits. Phishing. Smishing. Ransomware. Compliance. It’s a cliché to call the internet the Wild West, perhaps even an insult to the denizens of the old West, but the reality is that businesses today are under extreme pressure to ward off cyber attacks.
Businesses know this, but the question is: do they know how to respond to it?
“There is, I think, a recognition that the threat landscape has changed,” Paul Casey, chief operations officer at network IT and service management solutions company Paradyn, said. Legislation has had an impact, of course, notably the EU’s general data protection regulation (GDPR), which has lit a fire under companies that hold or process customers’ personal data.
“Following on from the likes of GDPR there is a lot more compliance among medium and small enterprises. Of course, large pharma, banking and governments were already used to a level of compliance,” he said.
Casey said that one of the important aspects of GDPR was that companies had to not only do the right thing, but demonstrate good faith. Insurers, too, want to see the right policies in place, otherwise they may adjust rates or even remove cover. “Even from an insurance perspective, businesses are looking to demonstrate that they’ve done the right thing,” he said.
Clearly, then, the pressure is on. There are methodologies out there, though, that can help, notably from the Centre for Internet Security (CIS) and National Institute of Standards and Technology (NIST), adherence to which can give businesses confidence that they are doing things right.
“Were doing a lot with CIS controls. There’s another one, NIST, and there’s also ISO 27001. They all work in similar ways: what they do is allow an organisation to examine and understand everything they do.” Casey said that adherence to these standards led to what he called ‘security hygiene’. “Cyber security hygiene is like personal hygiene: you will be more prone to infection if you are not looking after hygiene,” he said.
Despite the whirlwind of change, businesses have a responsibility to themselves and to their customers, one that is increasingly present in law. “The boundaries have all moved, but the fact is you still have to control things. You need to find out where you’re doing well and where you’re not and work from there,” he said. “That’s where the frameworks come in.”
The goal is a different way of thinking about security, one that means stepping back from saying ‘right, I need another box with lights on it’ and instead looking at the data, systems and network that run a business. ‘It’s really not about putting another box in,” he said.
In fact, businesses often trip up on basic measures including things such as patching and updates. The threat from this seemingly trivial fault is very real indeed and businesses may find they are entirely exposed as a result, especially as so-called ‘zero day’, or novel, exploits are on the rise. “The Chrome browser has had 12 zero day exploits this year alone,” said Casey.
In any case, businesses need to get the basics right before they can move on to more complex measures. As a result, auditing processes is at the top of Paradyn’s list of crucial steps to take in the fight to protect its clients from online criminals.
“If your processes aren’t right, if your users aren’t being trained, and your users on-boarded and off-boarded correctly, then there is a problem. These are things that organisations need to think about and it requires a formalised approach,” he said.
Casey said he is not arguing there is no requirement for new technology, however.
“There are next generation tools with the capability to mitigate against new threats, but if those tools are not implemented in the right way you’re not going to get maximum benefits or, if it’s particularly badly done, you’re leaving yourself open,” he said.
Paradyn also helps to produce reports for internal teams or for businesses own cyber security teams, helping to ease the burden on often already stretched IT staff. “Keeping on top of everything that is changing – the Windows 11 rollout, all of your ongoing projects – is a difficult job as it stands,” Casey said.
But keeping on top of things is essential. A recent report in trade newspaper Computing indicated that it is not only legitimate businesses that are leaning on service providers: strange as it sounds, hackers are now offering criminal gangs ‘exploit as a service’. As a result, the only possible response is to seek external help to fight off the growing threat.
“There’s a massive demand for security services,” Casey said. Little wonder.