Why business transformation and innovation are key to cybersecurity prosperity
The digital landscape is an integral facet of our everyday lives and defending it from cybercrime is crucial. Cyber-incidents can cause catastrophic consequences for businesses and government alike, so it is imperative that organisations secure critical infrastructure against ransomware attacks and protect sensitive customer data. To tackle the mercurial threat landscape, new cybersecurity techniques are needed to counteract the increasingly sophisticated tactics of hackers, says Ross Brewer, vice president of EMEA & APJ at AttackIQ, discusses how businesses can utilise new cybersecurity techniques to counter an expanding attack surface.
During COVID-19, industries were forced to rapidly adapt to new remote and hybrid work models, which created a larger attack surface as IT systems were forced to expand into workers’ homes. A recent breach of Australian telecommunications operator, Optus, saw a potential 10 million customers affected by a hack of sensitive personal data including passport information and licence plates.
A new global study finds that in this year alone 82% of organisations will be vulnerable to cyberattacks. With attack tactics evolving minute by minute, proactivity in the evolving digital ecosystem is not just about procuring new technologies and hiring more staff. Organisations must consistently test their defences against adversaries.
More than an investment
In 2022, the average cost of a breach stands at $4.35 million and analysts predict this figure will rise exponentially. By 2025, global cybercrime will reach $10.5 trillion and in regulated industries particularly vulnerable to cyberattacks like healthcare, finance and banking, data breaches can incur larger, long-term costs.
To counter the ever-expanding attacks on cyber infrastructure, companies have increased their cybersecurity spending, potentially reaching an annual figure of up to $1.75 trillion by 2025. With this being said, having the latest, most expensive protection does not tackle the real problem: understanding if all the money spent on security controls is actually protecting the organisation. In other words, unless teams continually test and validate their controls are working as expected, they cannot confidently report on their cybersecurity readiness and effectiveness to boards and auditors.
A threat-informed defence system
On average, CISOs have 70 security controls at their disposal, however systems are consistently failing according to the Panaseer 2022 Security Leaders Peer Report on the growing number of security breaches and successful ransomware attacks. Currently only 36% of security leaders feel very confident in their ability to prove their program is working effectively. This is compounded by the fact cybersecurity control failure is one of the top emerging risks to cyber infrastructure according to the Emerging Risks Monitor Report.
The human interface is still the number one entry point for security breaches, with more than 85% of attacks due to human error. Businesses need to adopt a cybersecurity framework that includes tactical measures, encryption, authentication and continuous testing and diagnostics, applied to real-world scenarios. As attack surfaces expand, it becomes increasingly critical to test not just technologies but processes to proactively find defence gaps caused by human error.
With the rise of digital extortion gangs and sophisticated malware, the threat landscape is more convoluted than ever before. There are many illustrations of this including, for example, the destructive malware currently used against Ukraine’s critical infrastructure to cause blackouts and put sensitive data in jeopardy. Equally, ransomware extortion gangs like Lapsus$ have been stealing data from prominent companies like Okta and Microsoft, compromising their systems. CISOs need a way to combat these threats. Breach-and-Attack Simulation (BAS) platforms can utilise knowledge-based frameworks like MITRE ATT&CK to simulate real world cyber threat, so when a real cyber threat hits businesses are prepared. BAS platforms are an automated way to test controls and locate which controls are failing in order to plug defence gaps before adversaries find them.
Data-based performance reports
For the everyday CISO, the practicality of decisions around cybersecurity and networks will be challenging. There needs to be greater involvement of the boardroom in relation to security and how security measures translate to positive business outcomes, positive revenue, and overall reduced enterprise risks.
Using insights from platforms and frameworks like MITRE ATT&CK, CISOs can test whether the security controls they implement are working as expected and confidently report to the Board of Directors on the cybersecurity health of a company. Without these quantifiable insights they will struggle to communicate what is and isn’t working.
Ross Brewer
A growing number of companies are using insight platforms which provide actionable data to report gaps in their cybersecurity infrastructure. In 2020, facilities management giant ISS suffered a ransomware attack which left hundreds of thousands of employees without access to emails and other systems. In the wake of this breach, Martin Petersen, chief information security officer at ISS, implemented the use of automated testing to improve their tamper protections for its 60,000 endpoints, making it harder for cybercriminals to penetrate their system and deactivate their malware protection. Controls like BAS platforms can track changes in personnel and equipment that penetration testers may often miss.
This technique enhances visibility and allows CISOs to track how effective their security program is performing on a case-by-case basis. Decision making made through data driven insight is invaluable to a business and CISOs aiming to achieve a threat-informed defence should put BAS systems at the centre of their cybersecurity strategy.
With the rise of digital connectedness, cyber-hacking will only continue to increase as ransomware gangs and hackers become increasingly calculated. To meet the growing needs of the modern threat landscape, ‘Evidence Based Security’ should be the mantra of forward thinking businesses.
The author is Ross Brewer, vice president of EMEA & APJ at AttackIQ
Comment on this article below or via Twitter @IoTGN