The security landscape has changed dramatically in the past five years & cybercrime is now a hot topic. Everyone is talking anti-virus, access control and firewalls but a security strategy goes deeper than that. Gabriel Clarke, IT and Security Manager with eir Business NI, points to the often overlooked and underestimated vulnerabilities of this shifting threat environment and how organisations can be best equipped to deal with them.
Cybercrime has become big business. The threat source has evolved from the traditional lone hacker to large companies dedicated to developing malware for financial gain and state-sponsored initiatives aimed at gathering intelligence. The types of attacks we’re seeing has changed too with the growth in large-scale ransomware attacks such as WannaCry where hackers use emails, social engineering and software vulnerabilities to break into computer networks, locate organisations’ critical data and encrypt it. Whilst such attacks are typically used to make money by demanding a hefty ransom to unlock the data, some evidence points to the recent Petya ransomware-style attack as being a ‘wiper’ with the objective of permanently destroying data.
Ransomware has now become the single largest threat to organisations globally: a company is hit by ransomware every 40 seconds (Kapersky Security Bulletin 2016). While media headlines talk about how organisations like the NHS and Telefonica are being hit, it’s important to note that it’s not just large entities that are being targeted. Businesses of all sizes and in all sectors are seen as fair game. Simply put, the risk has never been higher.
1. Take a ‘Defence in Depth’ approach
At eir Business NI we advise organisations to take a holistic view of security. Your security strategy needs to focus on ‘defence in depth’, where multiple layers of security controls are put in place including personnel, procedures, technology and physical security. We’re seeing too many organisations that are focused too much on simple preventative measures with basic firewalls but lack detection and response measures, such as continuous monitoring of security related events and incident plans.
2. Stay on Top of Best Practise
In the case of protecting against ransomware in particular, businesses should perform regular backups of their critical data. Backups should be stored in an isolated environment – either on tapes offsite or on a dedicated, isolated network of its own that can’t be reached from the production environment. Then, if you become the target of a ransomware attack, you can be confident you can access up-to-date data, and will not be conned into paying the ransom.
It might sound basic but we see it all the time when we perform security audits, organisations still aren’t ensuring they have deployed the latest security patches to their systems and applications. Let’s take for example the WannaCry incident: 92% of the machines infected were running unpatched versions of Windows. Microsoft had released a patch for the SMB vulnerability in March 2017, a full two months before WannaCry was released. It’s worth repeating – patch, patch, patch – and put in place a rigorous vulnerability management program.
3. Don’t Underestimate The Human Factor
While WannaCry targeted a software vulnerability, the majority of ransomware and other malware such as Trojans, typically use phishing emails to wriggle their way into an organisation’s IT system. According to a study conducted at Friedrich-Alexander University, 78 percent of participants said they were aware of the risks of unknown links in emails. Yet 45% of them clicked the link anyway.
With security, it’s not all about technical solutions; people are often the weakest link in the IT security chain. There’s no doubt that phishing emails have become more sophisticated. Long gone are the days when phishing mails were peppered with typos and poor grammar. They’re convincing and make use of social engineering tactics to encourage users to open them. And that’s why raising awareness of this threat is so important.
It’s vital that businesses devise a security awareness programme. Training is key. We know security can be a boring topic for employees who feel far removed from the impact of cybercrime. That’s why organisations need to drive home the implications of cybercrime: the associated downtime and data loss lead to financial losses, the erasing of customer trust and could result in irrevocable damage to an organisation that could lead to job losses. Any security awareness training needs to reinforce these implications and also outline the dangers of clicking unknown links or opening email attachments.
4. Keep Up-to-Date with Available Security Tools
You will no doubt have noticed the move to https across the internet, a more secure version of http. Using https, the computers agree on a ‘code’, and then they encrypt the data using that ‘code’ so that no one in between can read them. Today over 50% of internet traffic is now encrypted (in some industries this can rise to 80-90%). So far, so good.
Security problems arise though as traditional firewalls cannot inspect the encrypted internet traffic. In order to conduct continuous analysis on internet traffic being sent via an organisation’s network, IT staff need to be able to see the data. This is simply not possible with traditional firewalls. All organisations in today’s threat-laden environment should implement a next-generation firewall (NGFW). As well as having the capabilities of a traditional firewall, such as packet filtering and url-blocking, NGFWs also includes intrusion prevention, https inspection, deep packet inspection, malware detection and application awareness. Technology like next-generation firewalls are a vital tool for any organisation to have in their arsenal.
5. Assess your Security Maturity
A good starting point for any organisation that wants to re-assess their IT security strategy is to conduct a security audit. Engage with security experts like eir Business NI, who can be a fresh pair of skilled eyes. Often these engagements will kick off a process where organisations dig a little deeper into their security setup and ask the necessary questions like “are we looking at the right thing?”, “are we aware of the true risks?”, “are we using the right solution to protect against this risk?”, “what gaps do we have in our defences?” and “where should we be allocating our budget?”. It’s in asking and getting answers to these questions that organisations will begin to understand where they’re falling down and how they can shore up their defences.
Traditionally, security was seen as an innovation blocker. IT security teams were left out of the decision making process for fear they would hamper progress. But now, with security such a key concern globally, it’s imperative that IT security teams have a seat at the boardroom table, and that any new solution or service is ‘security from design’.
Connect with Gabriel at https://www.linkedin.com/in/gabriel-clarke/ or call the team at eir Business NI on 028 9000 2100 to discuss your enterprise security needs.