It’s fair to say that 2021 has been one of the most challenging years on record for business leaders and their organisations. Ed Williams, EMEA Director of SpiderLabs, Trustwave, reflects on the past 12 months and suggests how we can move forward with strong cyber hygiene in place.
2021 has been a year of significant change for cybersecurity – but that’s the nature of the industry. It’s fast-paced, increasingly advanced, and can be relied upon to throw challenges in the face of organisations when they least expect it.
The one constant is that everything will continue to change. Businesses are tackling new threats, the annual spend on defence solutions is increasing and more people are having those all-important initial conversations about cybersecurity. But there is still a long way to go. While we are seeing more people talk about cybersecurity strategies, and even getting to the stage of planning the next phase, it often ends up with leaders choosing the bare minimum option – mostly due to budget restrictions. Given that investment in cyber solutions offers no immediate RoI, it’s important that leaders act with foresight to get ahead and continue on their maturity journey in order to limit the impact.
Businesses know all too well the devastating repercussions of a successful attack, and most would agree that a post-attack budget is far larger than a pre-attack one. Suddenly, once the perimeter has been breached, companies are much more convinced by greater security measures, but by this point it’s already too late.
The past year has witnessed a great many cyberattacks, but two major threats to modern businesses are ransomware and insecure supply chains.
Responding to ransomware
Throughout 2021, ransomware has become more sophisticated and prominent in cyberattacks. Advances in this threat vector means a single breach can leave organisations trembling in its wake as systems and data become compromised. The main question being asked by clients now is: how can we get in front of ransomware? And to answer that question, we must break down the life cycle of ransomware to understand how it enters the network. It’s usually down to phishing, password guessing, exploitation of vulnerabilities, or malicious documents in an email. Once they understand the entry point for ransomware, businesses can start putting together a strategy to safeguard against it.
Vulnerability assessments are a critical part of getting ahead of attackers. While most businesses already conduct some form of assessment, it’s not always at the necessary scale or depth. Penetration testers often get these responses from business teams following an assessment: ‘I don’t know what that is’, or ‘I thought we had turned that off’. It can be difficult to achieve good asset management across a complex network environment, especially in large organisations. So, as a bare minimum, businesses should remember the key basics that can really make a difference: patching, passwords and policies.
Part of the issue when it comes to tackling ransomware is that it’s far too easy to become distracted by the new shiny tech being released – such as Artificial Intelligence and Machine Learning – and forget about fundamental cyber hygiene. In order to get in front of ransomware, it’s time to ditch the buzzwords and reinstate those strong foundations. It is always worth hammering home the basics – not because they’re easy, but because they’re needed.
The complexity of supply chains
Not only has ransomware been an exponential threat this year, but some of the biggest cyberattacks to have taken place in 2021 have had links to the supply chain. From the Colonial Pipeline attack to multiple attempts on the COVID vaccine, supply chains have acted as catalysts for criminals. And the ongoing shift to hybrid working has exacerbated the issue. Transferring resources from legacy technology to the cloud, and leaving connections unprotected, have all widened the supply chain attack surface.
Securing an entire chain of businesses is far more complex than addressing just one individual company – the number of resources shared and the high level of collaboration that takes place adds to the challenge. Again, it all comes down to best practice and re-establishing the fundamentals. Businesses should carry out regular penetration tests and red teaming exercises, as well as ensuring strong cyber hygiene across the company. In addition, being part of a supply chain demands a certain amount of honesty. Each business must be open to discussing their security strategies to guarantee alignment throughout the chain.
A rise in awareness
A definite silver lining to 2021 is that awareness of cybersecurity has shot through the roof. Penetration testers are busier than ever, demonstrating that more businesses are starting to appreciate the value in vulnerability assessment and are taking the first step to improving their security. However, as with most things in life, there is always more that can be done. Conducting a pen test is one thing, but acting upon the results is another. It often comes down to budget, but as we’ve already established, the value of spend before an attack greatly outweighs the value after.
Unfortunately, the nature of cybersecurity means we will never reach a point of being 100% secure – there is always a new threat vector waiting around the corner, or a new attack kit being deployed. Security teams are essentially partaking in a long-term dance with criminals – sometimes taking two steps forward, or two steps back – but always alongside each other. As an industry, we need to break this hold and move out in front of the adversaries.
The security resolution
So, as we approach 2022, it’s important to set out the security priorities based on what we’ve learned from the last year. Ransomware will get more sophisticated and supply chains will become more complex, so the next phase in security must be based on prevention. Like the Mike Tyson saying: ‘Everyone has a plan until they get punched in the mouth’. Rather than plan for what happens when the punch arrives, take the proactive decision to step out of the ring.
2021 has taught us that complexity is the enemy of security. If processes are too complicated, they become far harder to protect. Our security resolution should start with reducing this complexity where possible and taking the necessary time to do it properly. Patching, for example, is ineffective if the business prioritises a quick fix rather than finding the root cause of the vulnerability. This is particularly important for legacy technology. It’s understandable that not all businesses can afford to replace all their legacy solutions with modern alternatives, but they mustn’t be neglected.
Every member of an organisation is now responsible for cybersecurity. To pull away from the horde of cybercriminals banging against the walls of our network perimeters, we must work as units and continue to strive for the next phase in our security development. Moving into 2022, our security resolution must encompass the following: cyber hygiene fundamentals, a decrease in complexity and a preventative approach.
Click below to share this article