Security (7)

Why Cybersecurity is More Important than Ever Before


The threat of cybercrime to businesses is rising fast. According to one estimate, by McAfee, the damages associated with cybercrime now stands at over $400 billion, up from $250 billion two years ago, with the costs incurred by UK business also running in the billions. In a bid to stave off e-criminals, organisations are increasingly investing in ramping up their digital frontiers and security protocols, however, many are still put off by the costs, or by the bewildering range of tools and services available. The following is a list of reasons why investing in cybersecurity is a sensible decision to make.

1. Rising cost of security breaches

The fact is that cyberattacks can be extremely expensive for businesses to endure. Recent statistics have suggested that the average cost of a data breach at a larger UK firm is £20,000. But this actually underestimates the real expense of an attack against a company. It is not just the financial damage suffered by the business or the cost of remediation; a data breach can also inflict untold reputational damage.

Suffering a cyberattack can cause customers to lose trust in a business and spend their money elsewhere. Additionally, having a reputation for poor security can also lead to a failure to win new contracts.

2. Increasingly sophisticated and organised hackers

Almost every business has a website and externally exposed systems that could provide criminals with entry points into internal networks. Hackers have a lot to gain from successful data breaches, and there are countless examples of well-funded and coordinated cyber-attacks against some of the largest companies in the UK. Ironically, even Deloitte, the globe’s largest cybersecurity consultant, was itself rocked by an attack in October last year.

With highly sophisticated attacks now commonplace, businesses need to assume that they will be breached at some point and implement controls that help them to detect and respond to malicious activity before it causes damage and disruption.

Why Cybersecurity is More Important than Ever Before

3. Widely available hacking tools

While well-funded and highly skilled hackers pose a significant risk to your business, the wide availability of hacking tools and programmes on the internet also means there is also a growing threat from less skilled individuals. The commercialisation of cybercrime has made it easy for anyone to obtain the resources they need to launch damaging attacks, such as ransomware and cryptomining.

4. A proliferation of IoT devices

More smart devices than ever are connected to the internet. These are known as Internet of Things, or IoT, devices and are increasingly common in homes and offices. On the surface, these devices can simplify and speed up tasks, as well as offer greater levels of control and accessibility. There proliferation, however, presents a problem.

If not managed properly, each IoT device that is connected to the internet could provide cyber criminals with a way into a business. IT services giant Cisco estimates there will be 27.1 billion connected devices globally by 2021 – so this problem will only worsen with time. With use of IoT devices potentially introducing a wide range of security weaknesses, it is wise to conduct regular vulnerability assessments to help identify and address risks presented by these assets.

5. Tighter regulations

It is not just criminal attacks that mean businesses need to be more invested in cyber security than ever before. The introduction of regulations such as the GDPR means that organisations need to take security more seriously than ever, or face heavy fines.

The GDPR has been introduced by the EU to force organisations into to taking better care of the personal data they hold. Among the requirements of the GDPR is the need for organisations to implement appropriate technical and organisational measures to protect personal data, regularly review controls, plus detect, investigate and report breaches.

Share this story

3 Way to Difuse the Threat of Ransomware


Any cyber-attack makes IT pros shudder, but ransomware adds an extra element by its very nature – after all, you are not only attacked, but held hostage. The genre also tests both your security plans and your employees.

Ransomware attacks are on the rise: According to the FBI, an average of 4,000 ransomware attacks took place each day in 2016, a 300-percent increase from 2015. If ransomware wasn’t top of mind before, the WannaCry ransomware attack this May showed how sophisticated – and disruptive — hackers have become. (WannaCry forced a giant like FedEx to shut down operations the day after the attack.)

In attacks like WannaCry, cybercriminals gain access to systems, encrypt critical data and hold the encryption key and data hostage. However, not surprisingly, some organizations have paid the ransom but never received the key.

The human side of ransomware

3 Way to Difuse the Threat of Ransomware

According to the “BCI Cyber Resilience Report 2017,”ransomware accounts for 19% of cyber disruptions.

According to the “BCI Cyber Resilience Report 2017,” conducted by the Business Continuity Institute and Sungard AS, phishing and social engineering remain the top security threat, cited by 57 percent of respondents. Ransomware ties for the fifth spot on this year’s list. However, the report authors point out that ransomware is usually delivered through phishing and social engineering.

That adds up to ransomware being the “rising star of malicious codes,” according to David Thorp, executive director of BCI. Thorp writes that this reveals a weakness in the human aspect of cyber resilience, which calls for better education and awareness-raising initiatives.

Some victims pay up, some say ‘no’

When a hospital in Los Angeles was hit by the Locky ransomware virus, it ended up paying a ransom of 40 Bitcoin at a value of $17,000. When an employee opened an infected email attachment, a municipal utility in Michigan lost access to its accounting and email systems; an executive was quoted as saying that paying the $25,000 ransom was “distasteful and disgusting, but sadly necessary.”

Not all organizations pay. Three hospitals also hit by the Locky virus did not pay attackers and their systems were brought back to normal thanks to a quick-reacting IT team. When hackers attacked San Francisco’s light rail transit system, Muni, shutting down its ticket machines, the agency refused to pay the 100 Bitcoin (about $73,000) ransom demanded. While its IT team restored the system, customers rode for free.

There is no simple solution to preventing ransomware attacks. However, businesses can avoid having their data held hostage with these strategies.

1. Educate, test, patch

In addition to ensuring your anti-malware software is up-to-date, educate employees to recognize phishing attempts, social engineering attacks and the dangers of using computing assets in public, unsecured environments.

It’s also critical to know where your vital data is located, its value and where you are most vulnerable. Security assessments and vulnerability testing can help you develop a new strategy or harden an existing one.

WannaCry took advantage of a vulnerability in the Windows operating system. Many victims had not applied a security patch issued by Microsoft two months earlier. This highlights the importance of having a plan in place for ongoing operating system upgrades. A vulnerability management (VM) program can perform this task as needed.

2. Detect ransomware before you’re infected

One weak link is all that’s needed for malware to make its way onto your network. Your second level of defense should be to verify the effectiveness of your multi-level approach so you detect a ransomware attack before significant damage occurs. A file-integrity monitoring service is one way to accomplish this. It looks for suspicious activity, flags anything unusual and prevents the action.

Another option is a security information and event management (SIEM) service to monitor security events, correlate the events across devices and analyze them based on rules to detect malicious activity.

3. Mitigate the impact of ransomware

Your third line of defense is having a disaster recovery plan to mitigate the impact of ransomware. If malware does make it through and your data is held for ransom, this can help you recover your business operations.

Looking at the WannaCry attack, many victims did not have backups, lacked confidence in using them or had not adequately tested procedures to ensure successful restoration. Some who had backups were not sure of how far back the infection had spread, so determining the recovery point was difficult.

To minimize confusion and save time, define and document what steps need to be taken, in what order and by whom, if a ransomware attack happens. Having backups is key, but it won’t help if they don’t restore your systems as expected, so it’s important to test them on an on-going basis.

Network segmentation can help as well, cutting off any infected devices from the rest of your network. But like backups, this needs to be planned for and tested long before an employee clicks on a suspicious link.

With ransomware on the rise, it’s easy to become a victim. But if you follow these steps, you’ll never have to make a decision about whether to pay up to unlock your data.

Share this story
How to Guard Your Company Against Cryptojacking and Ransomware Featured

How to Guard Your Company Against Cryptojacking and Ransomware


The bull market for bitcoin is catching a lot of attention. Most notably among hackers. This is why the cost of a ransomware attack was expected to grow 1500 percent between 2015 and 2017 to a predicted $5 billion. Some expect costs to rise to $11.5 billion in 2019.

Others saw a drop in ransomware toward the end of 2017, as cryptojacking continued to grow in popularity; hackers are stealing CPU bandwidth through compromised websites or malware.

One locks down your systems, the other slows them down. Both feed hackers’ appetite for cryptocurrency. Here’s how to stop them.

Companies are stocking up on cyrptocurrencies to pay off hackers

How to Guard Your Company Against Cryptojacking and Ransomware

The ransomware epidemic has gotten so bad that companies are proactively buying bitcoin just in case they have to pay up to get their systems back.

A recent Qualtrics survey of 510 IT decision-makers found that 53 percent had purchased cryptocurrency like bitcoin as a precaution against ransomware attacks. More than half (51 percent) said their organization had stockpiled $100,000 or more in cryptocurrency, with 12 percent purchasing $1,000,000 or more.

The average ransom payment is $1,077, but the cost can quickly skyrocket when multiplied by the number of locked machines. Nearly 73 percent of the respondents work at organizations with more than 1,000 employees. You do the math.

When Hancock Health Hospital’s systems were held ransom in January, one hospital executive noted that “the amount of the ransom was reasonable in respect to the cost of continuing down time and not being able to care for patients.”

Hancock Health was forced to pay up since its backups were compromised, but paying the ransom also seemed like the best choice. The cost was competitive compared to the effort required to get systems back up and running on its own. That made it a lucrative payday for hackers and a tough decision for the organization.

Do this so you don’t have to stock up on cryptocurrency

While not recommended, ultimately, paying a ransom is an executive and board decision. But instead of purchasing cryptocurrency in advance, efforts should focus on prevention.

Don’t ignore the basics:

  • Back up your critical data at an interval that makes sense. For some businesses, backing up once a day is fine. Others might need to back up every hour.
  • Segment your backups from the rest of your network so they aren’t infected along with other devices. Hancock Health learned this the hard way.
  • Use tools to spot ransomware, like file-integrity monitoring services or security information and event management (SIEM) services.
  • Educate your employees on how to spot and report phishing emails before they click any suspicious links.
  • Test your disaster recovery plan and process to make sure it will hold up under a real-world attack.

If you take steps ahead of time to prevent and quickly mitigate ransomware, there’s no reason to stockpile cryptocurrency.

But you do have to watch out for the newest scheme, which has grown more prevalent in the last year: cryptojacking.

What is cryptojacking?

Cryptojacking is secretly hijacking processing power to mine cryptocurrencies.

It can be done through compromised websites or through malware that can spread across a network and create a botnet dedicated to mining. It’s a more subtle and lucrative way to steal than locking down an organization’s devices.

Adylkuzz, a cousin to the ransomware WannaCry, spread quietly last spring, and could have produced more than a million dollars for its creators.

Last fall, a bit of Javascript on Showtime’s website tapped visitors’ computers to mine the cryptocurrency Monero. Reports say that up to 60 percent of visitors’ CPU capacity was conscripted into the mining operation.

Now more than 4,200 government websites around the world are said to be compromised and mining Monero. The attacks are stealing processing power from prominent companies too.

Large botnets, once feared for their ability to level massive DDoS attacks, are now raking in cash. The Smominru botnet, for example, has infected 520,000 machines and has already mined $2.3 million in Monero.

How to guard against cryptojacking

While cryptojacking may seem less impactful than ransomware which completely shuts companies out of their systems, it does take resources away from systems critical for business.

Guarding against cryptojacking, like guarding against ransomware, comes down to the basics:

  • Install security patches.
  • Set strong passwords, and don’t reuse them.
  • Train employees in security awareness.
  • Harden systems.
  • Set strong egress filtering to block outbound connections to command and control servers, and monitor for those connections to alert on attacks.
  • Segment networks to protect against propagation of malware.
  • Maintain clean backups for quick and easy restoration.

As long as there’s money to be made, criminals will do their best to exploit every vulnerability. With bitcoin and other cryptocurrencies so highly valued, this will be an attack we’ll see for a while. Prepare accordingly.

Cryptocurrencies and criminals

It’s pretty obvious why criminals like cryptocurrencies. They can be used anonymously, they’re increasingly easy to use, and they’re surging in value – what’s not to like?

Your organization is often what’s standing between criminals and the payments they seek. With a focus on cybersecurity basics, you can avoid becoming the next victim and funding further exploits.

Learn more about how to make your business more resilient against cyberthreats.

Share this story

Phone in the Right Hand? You're a Hacker!


Phone in the Right Hand? You're a Hacker!

Hackers are finding it too easy to circumvent traditional cyber defences, forcing businesses to rethink their security strategies. Many firms are now harnessing big data and adopting cutting edge verification checks. In fact, some can even identify you by how quickly you type your computer keys, or how you hold your mobile phone.

In these days of regular space travel, nanotechnology and quantum computers it is easy to believe we live in an age plucked from the pages of a science-fiction novel. But there are some aspects of this shiny, computer-powered era that look more feudal than futuristic.

Consider the way many organisations protect themselves and their staff from cyber-attacks.

Many approach cyber-security like a medieval king would have tackled domestic security - by building a castle to protect themselves, says Dr Robert Blumofe, a senior manager at cloud services firm Akamai.


The high walls, moat and drawbridge are the security tools, anti-virus and firewalls they use to repel the barbarians at the gates trying to breach their cyber defences.

"But now," Dr Blumofe says, "that castle metaphor is really starting to break down."

Outer defences

The first issue is mobility. Digital fortifications worked well when all staff sat at desks, used desktop computers and were concentrated in a few buildings. But now many work from home, airports or coffee shops and use their laptops, tablets and phones on the go, to work at all times of day.

The second problem, Dr Blumofe says, is that many firms wrongly assume that those in inside their castle walls can be trusted and are "safe".

This leaves many firms dangerously exposed, agrees John Maynard, European head of cyber-security for Cisco. "Typically once attackers have penetrated a trusted network they find it is easy to move laterally and easy to get to the crown jewels. That's because all the defences point outward. Once on the inside there is usually little to stop attackers going where they want to."

Tumbling walls

In a bid to get beyond this outdated thinking many organisations have torn down the old castle walls in favour of a model known as the "Beyond Corp" approach.

China map

Image copyright Reuters Image caption - China was implicated in the Aurora attacks on Google and lots of other big companies

It was pioneered by Google in response to a series of cyber-attacks in 2009 called Aurora orchestrated by China-backed hackers. The attackers went after Google as well as Adobe, Yahoo, Morgan Stanley, Dow Chemical and many other large firms.

According to Mr Maynard, Beyond Corp assumes every device or person trying to connect to a network is hostile until they are proven otherwise. It obtains this proof by analysing external devices, how they are being used and what information they are submitting.

This encompasses obvious stuff such as login names and passwords, as well as where someone logs in from; but it also relies on far more subtle indicators. It can be how quickly do you type the keys, are you holding the device in your right or left hand. How an individual uses a device acts as a second layer of identity and a different kind of fingerprint.

Gathering, storing and analysing all that data on those individual quirks of usage was the type of big data problem only a tech-savvy company such as Google could tackle at the time of the Aurora attacks. However, as familiarity with big data sets has spread, many more big firms are adopting the Beyond Corp approach when organising their digital defences.

One big advantage is that Beyond Corp turns a firm's network into an active element of defence, says Mr Maynard from Cisco. "In the castle and moat approach the network was passive... But beyond Corp involves continuous monitoring where you are constantly using the network as a sensor or a way to get telemetry about what's going on."

The analysis done when users join a network makes it much easier to spot when attackers are trying to get access. That's because the authentication step will flag any anomalies meaning security staff will find out quickly that something suspicious is going on. Anything other than normal login behaviour will stand out.

Faster detection

It can also mean a "significant reduction" in time to detect threats, says Mr Maynard. "The industry average is about 100 days to spot threats. With Beyond Corp you should be down to hours not days."

In addition, Beyond Corp can "limit the blast radius" if a breach does happen. This is because it usually involves dividing up a company's internal network so users only get access to applications they are approved to use. The mass of data gathered on users, their devices and the way they act once they have connected may appear bewildering to many companies. However, advances in automation are increasingly helping them keep a handle on the millions of events that now occur on their systems.

In summary, If you are expecting to secure your estate by having humans watch TV screens you are probably going to be too late to spot it. Human reactions are always going to be much slower than automation.

News Source: BBC

Share this story
A security breach can cost your organization more than money. Learn how to avoid them through implementing business resilience best practices. Featured

The True Cost of Security Breaches


What does a security breach or malicious hacker attack actually cost? For organizations that lack a fully resilient infrastructure, the true costs can include operational interruptions, loss of customer trust, lawsuits and compliance regulation fines. 

Consider the costs an organization can expect to incur from ransomware. 

In March 2018, Atlanta’s city government was hit with a ransomware attack, in which criminals demanded roughly $51,000 in bitcoin to restore the city’s systems. Atlanta didn’t pay. 

The True Costs of Security BreachesConsequently, according to Engadget, more than one-third of the city’s necessary programs went offline or were disabled in part. Worse, Atlanta’s city attorney office lost six of its 77 computers and 10 years of documents. The Atlanta police department lost its dash cam recordings. Initially, the cost of recovering from the attack was an estimated $2 million—but that soon increased by another $9.5 million.  

Here are some examples of the hidden costs a security incident may bring, with tips on how to avoid them through business resilience best practices.  

Hidden security breach costs 

Emergency assistance from consulting firms. After a breach or attack for which you’re unprepared, you may need an outside consulting firm to help you bounce back. For instance, the city of Atlanta spent $600,000 with Ernst & Young for incident response consulting.  

Technology and security upgrades. A successful attack means the exposure of weak links in your security—which you’ll need to repair going forward. Equifax, which in September 2017 experienced what’s probably the costliest data breach in history, was forced to upgrade its technology and security infrastructures. Its ongoing IT and data security costs related to the breach were $45.7 million in the first quarter of 2018 alone. 

For lessons learned from the Equifax breach, see our blog post “The Equifax Breach: No More Excuses.” 

Legal fees. Your organization may be vulnerable to class-action lawsuits or other legal action stemming from data privacy leaks. Following its 2015 breach, Anthem was liable for more than $33 million in attorney fees and expenses, according to Big Law Business. That’s in addition to pay outs to class-action plaintiffs, which in Anthem’s case included $7,500 each for 29 individuals and $5,000 each for 76 plaintiffs.  

Insurance deductibles. Insurance against losses from cyberattacks and breaches is a growing market. But like most insurance policies, organizations may have to pay a deductible. Equifax’s deductible was $7.5 million 

Crisis communications and PR. After an attack is discovered, organizations should get the word out in a timely manner, which may mean engaging a crisis communications PR firm. Atlanta spent $50,000 hiring such a firm after its ransomware attack.   

Regulatory compliance penalties or fees. With new data privacy regulations such as Europe’s GDPR, organizations can face stiff penalties if personal data isn’t adequately protected. Infringement fines can go up to 20 million euros 

See “What Does the GDPR Mean for Your Business?” for more information.  

Damage to reputation and brand. This side effect of a data breach can be difficult to predict or estimate. But here’s one example: In February 2017, Verizon reduced its offer to acquire Yahoo by $350 million after Yahoo had disclosed two significant data breaches.  

But that’s not all. Other hidden costs may include:  

  • Notifying customers via email, letters, phone calls 
  • Increase in calls to help desk and customer support  
  • Cost of business disruption and revenue losses from downtime 
  • Loss of customers and inability to acquire new ones 

4 tips for avoiding attacks and breaches 

  1. Cover the basics. Egress filtering. Keeping security updated. Deploying Multi-Factor Authentication (MFA). Encouraging users to take passwords seriously. These are all basic security practices your organization should implement to help prevent breaches.
  1. Continually educate users about cyber security risks. Many cyber attacks and data breaches start with phishing emails that fool someone inside the organization into clicking a link they shouldn’t click.

Phishing messages are by design made to look authentic, slip by spam filters and appear to come from people the victim ‘knows’ due to spoofing. Social media accounts can also be used as a tool to tailor phishing messages specifically to the targeted employee, making it even harder to be identified by the naked eye. The most effective way to counter these type of attacks is to educate users and frequently test their awareness.  

  1. Make incident response plans part of your resilience program. The quicker you can identify and respond to an attack, the more likely your organization can recover and stop an attacker from accessing sensitive data. A cross functional team of employees spanning IT security, legal, corporate communications, sales and human resources should be trained in what to do, in accordance with your incident response procedures.
  1. Segment each division of your network. In addition to training employees about how to respond after an incident, you should also segment each division of your network. This way, if you experience a cyber-attack, you just need to identify the origin of the attack and shut off that single segment isolating it from the rest of the company. This minimizes the amount of sensitive data stolen and allows you to recover quickly and to continue with normal operations.

Network segmentation can be used to protect sensitive data and effectively thwart a cyber-attack. For example, a client of ours prepared their network by segmenting each division and trained their employees on the incident response procedures in the event of an attack. When the company experienced a cyber-attack it was able to quickly identify the origin of attack, shut off that single segment from the rest of the company, and recover quickly to continue operating as normal. Having a well-thought-out incident response plan that employees know how to execute properly is critical to business continuity.

Most recently, enterprises are increasingly leveraging micro-segmentation to create secure zones in data centers and cloud deployments for isolating and protecting workloads, as well as containers to isolate virtual machines to reduce the attack surface.  

In addition, you can improve resiliency via snapshots of files and storage, which will help you roll back to a predetermined Recovery Point Objective (RPO)—minimizing your exposure to data loss and its associated costs.  

For additional tips on avoiding cyber-attacks and protecting your organization against data breaches, consider reading these resources:  

Data breach responses: 4 ways the most resilient businesses handle hacks  

Do you know which of these cyber-attacks isn’t real?  

 6 Steps to Make Customers Less Vulnerable to Ransomware 

Share this story

Do you Know Which of These Cyber-Attacks isn't Real?


When CentaurWipe infected hundreds of companies in December 2016, IT departments were left flat-footed. Named for its dual attack of locking down devices while systematically erasing files, CentaurWipe was finally contained after an emergency patch was deployed.

Sound familiar?

Knowing what malware does, what it targets, and how to stop it can help you keep your systems safe.

It shouldn’t. It never happened.

But in a recent survey of 510 IT decision-makers, more than 85 percent thought CentaurWipe was a real cyberattack when we asked them to pick the fake among a list of real attacks. More respondents picked WannaCry as the fake cyber-attack than CentaurWipe.

What’s going on here? Are there just so many cyber-attacks that it’s hard to remember all the names?

Or is there a lack of awareness that could be putting organizations in jeopardy?

Which cyber-attack isn’t real?

We posed this simple question to CSOs, CIOs, CTOs, CISOs, IT VPs, Heads, Directors, and Managers, Information Systems Security Engineers, Cyber Security Directors and Managers:

Which of the following is not a named or known cyberattack?

  • WannaCry
  • Petya
  • NotPetya
  • Goldeneye
  • Heartbleed
  • CentaurWipe

Any surprises for you in that list? There were for the respondents.

Only 15 percent of respondents correctly chose CentaurWipe as the phony attack. Just two out of the six real cyberattacks received more votes than that.

A surprising 15 percent picked WannaCry as the fake. That seems impossible to fathom, since WannaCry affected over 150 countries, 300,000 machines, and was covered extensively in the media.

A quarter of respondents – 25 percent – chose POODLE. That’s short for Padding Oracle on Downgraded Legacy Encryption. Granted, POODLE may seem like it happened forever ago (it first appeared in 2014) but this “man-in-the-middle” attack fooled a good portion of respondents.

Close behind CentaurWipe, 14 percent chose NotPetya, while 13 percent chose Goldeneye.

The two most recognized cyber-attacks on the list were Petya, chosen by just 10 percent of respondents as the fake, and Heartbleed, which 8 percent thought wasn’t real. It should be heartening that these two didn’t get past many surveyed participants.

What does this say about security awareness?

The shocking thing about these results is that CentaurWipe wasn’t the overwhelming choice. What can we attribute this to?

For one, some strains of malware have multiple names. Depending on who you ask, Petya, NotPetya and Goldeneye might all refer to the same June 2017 ransomware attack. In these cases, it can get confusing for those trying to stay on top of the ever-growing list of cyber threats – they might know the attack by one name but not another.

The term “cyber-attack” is also up to interpretation. For example, POODLE isn’t actually an attack, but a vulnerability that could be exploited.

There’s also the sheer quantity of attacks – thousands of new ones appear every year, and organizations tending to their security are left untouched by the vast majority.

Or maybe, and this is more concerning, it’s just a true lack of awareness.

Knowing what malware does, what it targets, and how to stop it can help you keep your systems safe. How do you know you’re immune to a threat you aren’t aware of?

Armed with knowledge, you can stay safe and prepare for whatever hackers conjure up next. But also make sure you’re covering the security basics.

Share this story

Cybersecurity Myths You Should Stop Telling Yourself


Cybersecurity can be a magnet for myths. Attacks emerge and cripple systems availability or swipe data quickly and unexpectedly. It happens so fast that the myths so many of us hold onto as facts are only apparent in the aftermath of an attack.

While many cybersecurity myths persist, some are more damaging than others. Let’s examine four common cybersecurity myths and their impact on risk.

Myth 1: Small organizations are low-value targets for hackers.

Cybersecurity Myths You Should Stop Telling Yourself

Buying into cybersecurity myths can leave your company vulnerable to attack.
Learn about common cybersecurity myths and how they impact risk.

Thinking you’re not a target is one of the biggest mistakes your company can make. According to data collected from more than 2,200 confirmed data breaches, 58 percent of security event victims were small businesses. Why would malicious actors target small companies?

  • Compute resources are valuable – Malicious actors seek out available computing resources as network nodes to expand their bot networks, which they use to initiate DDoS attacks, for cryptojacking, to propagate ransomware and spam or for numerous other crimes. Malicious actors build their networks by leveraging free resources, and your systems might be among them.
  • Data is power  Every organization stores some data that’s critical to its business, but holds little value to others. Malicious actors exploit this by unleashing ransomware that cuts off data access, availability, or both, crippling the organization. Malicious actors then generate revenue through ransom payments.
  • You’re an easy target – Malicious actors use continually running, automated tools to target vulnerable organizations that allow them easy access. That increases their chances of a quick win, especially since vulnerable targets might not realize they were attacked for months.
  • Your access is valuable – Small businesses can be used as a “beach head” into other targets. Malicious actors might target seemingly innocent, low-risk third-party vendors to get to those vendors’ customers. A breach at customer service software company earlier this year gave malicious actors access to Delta Airlines, Sears, Kmart and Best Buy.

Myth 2: There’s no reason to invest in security when organizations with tight security controls still experience security breaches.

Some organizations rationalize a small cybersecurity budget by arguing that investing in security is a losing game. They hear about security breaches at large organizations, with presumably large cybersecurity budgets, and assume if these organizations can fall victim, then what chance does their organization have? Let’s look at a few reasons why this is not the case.

  • Tools are just one pillar of a solid security strategy  People and process are the two others. An organization allocating budget toward security might not be funneling it to the most effective areas. An organization can have a big budget for tools but if it lacks the right cybersecurity talent or its processes are faulty, it can still get hit.
  • Tools do help – Multiple breaches have illustrated how long it can take before an intrusion is detected. Malicious actors stole 880,000 payment cards from Orbitz in a data breach that occurred between October and December 2017, but the company didn’t spot the evidence until March 2018. Tesla only discovered a cryptojacking operation in a cloud account when third-party researchers tipped off the car maker. Organizations that invest in reactive security controls like SIEM tools, in combination with proactive security controls such as Intrusion Prevention Systems (IPS), may identify suspicious behaviors earlier and limit the damage. With such security controls, an organization can more quickly and easily identify when the breach occurred, the potential infiltration source and how the malware spread.
  • The cost of recovery can be higher than the cost of security – Organizations that shrug off tight security controls are focusing solely on the immediate effects of infiltration, not on the total cost of the security incident. Granted, security controls are not 100 percent effective at detection and prevention, but they can save significant time and money during each of the subsequent incident response stages: analysis, containment, eradication, recovery and post-incident activities.

Myth 3: Our organization has not been breached before, so we’re still safe.

Often, organizations incorrectly assume their security risks remain relatively static, when they don’t have a way to effectively evaluate those risks. Projecting future risks based on historical events can be dangerous, especially because people often underestimate the following:

  • What needs to be secured – Defining the scope of what to secure requires identifying exactly how many applications, servers, network devices, storage devices and more are within your organization. When faced with either insufficient or overwhelming amounts of data, the scope may be simplified and assumptions drawn that can lead to vulnerabilities.
  • Unexpected delays – An organization might not include adequate protection for an obsolete server that’s being decommissioned. Schedules slip, and vulnerabilities are introduced when the old, no-longer-patched Windows 2003 server remains connected to the environment months later.
  • Underestimated targets – Similarly, organizations might assume a particular server doesn’t contain sensitive data and is less likely to be the target of an attack. As we’ve discussed, it might not be data that malicious actors are after. Your servers might be valuable as a foothold into the environment, for example.
  • Human psychology – Lastly, people often underestimate risk due to future aversion – the problem of assuming that because the future is unknown it cannot be tested.

Myth 4: Security is an expense, not a revenue generator.

Organizations prioritize investment in services that generate revenue, especially when budgets are tight. This can leave cybersecurity, viewed as an expense, on the back burner. But cybersecurity can be a revenue generator – here’s how.

  • Security influences buying decisions – Organizations that store personal, financial and other sensitive data need to ensure it’s secure. Organizations can influence customers’ perception of security by proactively marketing the high level of security they adhere to, differentiating their organization from their competitors.
  • Lack of security impacts availability – Data breaches are only one impact from an adverse security incident. Another is downtime. Consumers can’t purchase products or pay for services if a web site, or the infrastructure that supports web transactions, is unavailable. When ransomware brought the City of Atlanta to a standstill, for example, it couldn’t accept payment from residents for common city services for six days. The lack of adequate security directly impacted core business operations.
  • Security can be a value-added service – For instance, a Software-as-a-Service (SaaS) provider may offer three tiers of service to its customers: gold, silver and bronze. It could bundle in a Service Level Agreement (SLA) with higher levels of availability and higher levels of security controls associated with higher service tiers. Whether your organization has the in-house tools and skill sets required to offer specific security services or you’re passing the costs of a Managed Security Service Provider onto the end customer, security can become a new revenue stream.

The bottom line

Whether it’s assuming you’re not a target or that security spend is only ever an expense, buying into these common cybersecurity myths can set your organization up for serious disruption, unhappy customers, a tarnished reputation, not to mention the cost of recovery.

What are some other cybersecurity myths you’ve encountered?

Share this story
Subscribe to this RSS feed