Cyber security (or, rather, the lack of it) is often in the news these days and for good reason: according to The Hiscox Cyber Readiness Report 2019, the majority (61 per cent) of the firms it surveyed reported they had a cyber incident within a 12-month period, up from the 45 per cent seen in last year’s report. The report also noted that progress on “cyber preparedness” appears to have stalled, with nearly three-quarters of those businesses it surveyed “failing to reach our threshold for expertise in any area”.
So, what’s to be done? A natural place to start is your cyber security budget. James Bore, IT security manager at Merlin Entertainments, says this is industry-dependent, and adds “[the figure] that gets bandied around is [that] 10 per cent of IT budget is your ideal spend [on cyber security]. Big financial banks, defence companies and similar [organisations] might stretch to up to 13 per cent… [this] is a bit excessive, it tends to go more towards the latest whizzy tools than effective security. A small accounting firm or smaller business can get away with maybe three to six per cent. Three per cent should be the absolute minimum you’re looking at spending in any environment because you really can’t do much for less than that, [especially as] you have to factor in the people who need to do it as well.”
At its core, Bore says cyber security is about “understanding your entire estate, building up vulnerability management and then monitoring that estate effectively for threats, incidents and attacks.
“You can’t protect a system, network, ecosystem without understanding it, and for you to understand it, you just need to know what’s there. So, your initial context is ‘what’s on my network?’, and that’s a step that’s often missed. From there, you go to ‘which bits of my network, which systems do I care most about, where are they weak and where are they strong and which ones will people be targeting – or which ones would be hit by collateral damage in the event of, say, a ransomware attack?’; so the context is all of that business information that you wrap around the technical architecture so you can then build security appropriate to your business.”
If you are a small or medium-sized enterprise and looking to obtain a managed service, which Ryan Orsi, director of product management at WatchGuard, recommends, he also advises opting for a company that “has a suite of products that cover different attack vectors. Make sure they offer a perimeter gateway security solution [sometimes referred to as a unified threat management appliance] or something that really protects the internet connection, and make sure that they have [an] offering that searches for anomalies, suspicious behaviour [and] zero-day malware on end-points [along with something] that protects the Wi-Fi at that location.”
Orsi also highlights that such companies also need to be able to protect your remote workers, given the popularity of working from home, such as providing a virtual private network (VPN) back to the corporate office.
Integration & implementation
“The key part is the integration,” says Bore. “The major vendors – some have flashy graphics, some don’t – but
capability-wise they’re all much of a muchness now, and where you can really get additional value is if they can integrate with other systems effectively – so whether your vulnerability management tools can integrate with configuration managers and tie into your SIEM (security information and event monitoring) system to provide extra context around events that might occur, that’s a lot more valuable than just having a top-of-the-line vulnerability scanner and monitoring system.”
Bore adds that integration “needs to be almost a modular thing. If you’re building too much custom integration between systems, unless you are doing it all in-house, that’s going to tie you to those systems for a long time.” In the case of in-house integration, “nothing beats a good, well-documented API”, and those with these will be happy to share the necessary information. “The other option,” Bore says, “is pre-made integrations, and again a lot of the providers out there have built integration systems with everything from ticketing service desks all the way through to intelligent threat detection systems.”
Orsi says one common mistake is simply failure to follow best practice when it comes to implementing cyber security systems. “Security technology can be amazingly effective, but implementation issues and mistakes can [open] the door to security risk, even though the products are very capable.” It is therefore worth asking the consultants or salespeople you are dealing with: “What is the best practice to implement this technology?”
He also notes that multi-factor authentication, which traditionally has been employed by large enterprises, has become a lot more accessible to “the mid-markets, the small businesses. One of the main reasons people get hacked on Wi-Fi is to have a password to their email or their salesforce account stolen. If it’s protected with multi-factor authentication, it’s kind of useless anyways. You could write your password on a sticky note on your laptop with confidence because no-one can really access any of your private data, unless they have your authentication token.”
The weakest link
Because cyber security (unlike most other business activities) involves defending against people who are actively looking for vulnerabilities, it is important to realise that your system is ultimately only as secure as its weakest link. “One of the famous stories is about a casino where their highly secure network was broken into and their high-rollers database was stolen because they used a smart thermostat in the aquarium,” says Bore.
“So, it’s [about] making sure you [implement] technology in a comprehensive way rather than dropping in the latest flashing-lights tool which promises to solve the whole problem. [Cyber security] is a slog, it has to be built from the foundations upwards.”
Unfortunately, the weakest link is often people. “It’s a lot easier to get in through people than it is trying to break through cutting-edge firewalls, and technology won’t solve everything,” Bore adds. “It’s not that staff are stupid, it’s that people get tired, they aren’t necessarily paying attention at the time and it is very easy to open an attachment/link, open a phishing email or even just react to an email from the executive saying ‘can you do this payment for me?’.”
Don’t be phish food
This makes training your staff important and Bore says some companies offer phishing testing – they will set up tailored phishing attempts against your business, which if they succeed will take the person who was fooled by them through to a page that explains what they did wrong. He adds that systems such as Mimecast, which protect email servers, “will cut out a lot of the chaff and a lot of the phishing emails, but they will never be 100 per cent, and equally even the best anti-phishing training programmes I know of can get responses down to maybe five per cent successful”.
Given this, it is worth considering what processes and procedures you have in place to deal with a cyber security incident should it arise. Because the extent of the damage or disruption is likely to be time-sensitive, it pays to have worked out in advance who should speak with whom, especially when a lot of people need to be involved and/or are in different countries or timezones. It is also important to have planned how to stop your employees and customers flooding your IT teams with job tickets during distributed-denial-of-service attacks or other cyber-attack-induced service disruptions.
For those who have such procedures in place but are struggling to respond in a timely manner, companies such as Everbridge provide IT alerting tools, which work by sending messages out across a wide number of different means in an automated manner, and can allow people to join conference calls in a streamlined way and escalate matters (alerting other people if the initial contacts are unresponsive) if required. According to Vick Vaishnavi, general manager of IT alerting and IoT at Everbridge: “In terms of response time for major incidents on average, we’ve seen our customers go down from 46 minutes to five minutes.”
However, it is not enough to just be able to quickly assemble a team – there is a need to be able to rapidly configure your networks in a centralised way. “Once you’ve detected an incident to contain, you need to have fundamental security and central configuration in place first; you can’t plug in a piece of incident management software and expect it to solve that – every attack will be different and require a different response,” says Bore.
Wireless weaknesses
While much of what we’ve discussed straddles both the wireless and wired domains, it would be odd if we didn’t have some specific tips for wireless security. Merlin Entertainments’ Bore notes that “any technology that broadcasts is on a fundamental level insecure because it is broadcasting everything. You can encrypt it, you can apply various other protections, but they are being built around something that is at its heart open.” He adds by way of example that the keycards used for door access systems can be “scanned from three feet away now with something that you’d never notice in a backpack”.
Bore says the best way to secure a building’s Wi-Fi is to carry out a survey to ensure “the broadcast power isn’t too high and you’re not broadcasting across the street, and that it’s appropriately shaped, then use very strong authentication, such as RADIUS, where it’s not directly against the wireless access point itself but a separate source”.
WatchGuard’s Orsi highlights the dangers from ‘evil twin’ access points, which broadcast the same SSID as a network you’ve previously connected to, as well as misconfigured access points, which may be unencrypted and unsecured.
We’ve seen that effective cyber security requires a combination of adequate funding, which in turn is best spent when you fully understand your company’s operations (particularly areas which if attacked could lead to massive disruption or significant data/reputational/financial loss), and work to ensure that you have addressed all the relevant areas rather than concentrating on just a few.
What to consider: the main dos and don'ts of cyber security procurement
- Do your due diligence and make sure that anyone supplying anything that connects to your network or runs over it approaches cyber security with the same rigour (or greater).
- Do get a full security tear-down on any IoT devices that you’re looking to connect to your network
- Do consider the human element and raise awareness of phishing (what it is and its dangers) within your organisation
- Do put yourself in the shoes of someone out to harm your business – where would they strike to cause the most damage?
- Don’t assume that cyber security tools and training are enough – have a plan in place (right down to who calls whom)
- Don’t neglect the importance of back-ups – if the worst happens, you need to be able to bring your business back from the brink
- Don’t forget to ask consultants and salespeople to describe best practice for implementing the solutions that they recommend or supply