All organisations are at risk of a cyberattack. Many are suffering serious consequences as a result of dangerous misconceptions regarding cybersecurity. In this blog we highlight the real underlying reasons why so many businesses are suffering from cybersecurity incidents. And they might not be what you expect.
1. First, is the entry level misconception – thinking that a cyber attack and a cyber breach won’t happen to you. Well it can, and if proper defences are not in place, it will. Because every business is a target. Cybercrime is most definitely not young lads in hoodies trying to hack you for fun. It’s properly organised crime run by organised criminal gangs (many in E Europe), often working in syndicates, using sophisticated automated techniques, including artificial intelligence. So while your business might not have been singled out initially, once a gap is found, once they get in, we are increasingly finding they are willing to be patient, watching email exchanges, waiting for the right transaction to divert, or running some ransomware to disrupt your operations.
2. Second, is probably the one which is the most dangerous of all – thinking that your IT support, whether in house or external, is properly looking after your cybersecurity. Because in almost every case, you would be wrong. They are not. Aside from the fact that having them mark their own homework is not good risk management, cybersecurity is different from generalist IT support. It’s a different discipline. You would not want your GP to carry out your heart surgery. So don’t expect your IT guys to know the latest attack methods; to specialise in defensive configuration; to do penetration testing and vulnerability assessments; to know your legal and regulatory obligations; to undertake and document your legally required risk assessment; to train and test your staff; to advise on risk governance and then draft your staff cybersecurity handbook; to implement a risk management framework; to know your record keeping obligations. I could go on.
3. Next, for those already doing some penetration testing, assuming that’s sufficient. It’s nowhere near enough. Putting to one side the fact that we find many companies paying over the odds for it, it usually only looks at one part of the technology within a defined scope, and usually only tells you whether the pen tester has been able to break in. Crucially, it is not assessing, or addressing, your real business risks. A proper vulnerability assessment needs to be broader than that, and investigate things such as access controls; remote working arrangements; mobile phone security; the transfer of data; the configuration of backups; and so much more. Plus, usually the pen testing only leaves you with a technical report, but does not prioritise (within the context of your business) the remedial actions or help you with them. And of course pen testing only looks at some part of the technology. It does not help with training or governance.
4. Another, is assuming that having the Cyber Essentials badge provides you with adequate protection. It does not. CE is a desktop assessment of the answers you give in respect of 5 very basic technical aspects. It does not even provide minimum legal compliance for personal data which requires you to do training and put in place policies/procedures. Real cybersecurity requires a much wider approach to assessing your technical and other aspects of security. Relying solely on CE is asking for a breach.
5. Next, is thinking that using cloud systems or storing your data in the cloud itself gives you protection. Not so. Putting to one side the fact we frequently see a complete absence of any kind of due diligence on cloud providers, even if the cloud “safe” you are using is secure, there is a whole host of policy, set up, configuration and enforcement aspects to get right. This includes access controls, the way data is allowed to be moved in and out of the business, the collaboration arrangements with colleagues and third parties, and lots more. We often find that firms who are using the cloud have merely increased their attack surface, making them less, not more, secure.
6. Next, is thinking that subscribing to some generalist training packages which include some cybersecurity headings is enough. Because it is not. They are usually ineffective because they do not change behaviour. We often find many do not deal with the type of attacks which are happening in real life; they are not testing whether staff have understood and learnt from them; and they are not simulating the attacks (such as phishing attacks) which are happening in real life. Why is this so important? Because over half of incidents start with people doing the wrong thing, trusting the authenticity of emails or websites without checking, clicking on something they shouldn’t, not understanding the consequences of putting too much information on social media.
7. Finally, thinking that cybersecurity is some kind of one off spot check. It’s not. Methods of attack change (as may your technology and the way you work) and defences need to evolve to keep you protected. It’s an ongoing process that requires periodic reviews, and arrangements for assessing that your defensive configurations, policies & controls you have in place continue to be right to protect your firm and checks to prove they are actually working. That’s also now a legal requirement.