There is no question that businesses, and indeed everyday people, are well aware of the importance of cybersecurity. Why so many, then, choose to do little about it may seem to be something of a mystery.
According to Finbarr O'Riordan, sales director at Typetec, which provides managed security services, fear, rather than leading to action, can paralyse people. This, however, is precisely the wrong response.
“You know there is something lurking, but you're afraid to see about it, but that's the starting point: you try to find out where the risks lie,” he said.
Typetec starts with a “gap analysis”, showing where potential problems are in the network, as well as in the wider business.
“We present you with a report telling you what you're doing well and what you're not doing well. It’s not about selling; it’s about the holistic approach, including business continuity and developing the policies that go with securing the environment,” he said.
The threat landscape has only got worse over the last year, as high-profile breaches and attacks have demonstrated. As a result, businesses need to think about securing themselves before they become the next target or victim of cyber criminals.
“Everybody is aware that this is a problem, but many are burying their heads in the sand. People often end up finding out the hard way and that's a bad place to be,” he said.
Indeed, suffering even a non-catastrophic breach, never mind a full-blown ransomware attack, can leave a business on the back foot. A full-blown attack could leave them unable to do business.
Cybersecurity, then, should be seen as part of a wider resilience and business continuity strategy.
“You need to have a plan for all eventualities, and we saw that when Covid hit, people had to pick up and leave their offices, and those without a plan had to scramble,” he said.
Backups should be in place and they should be tested, but they also need a larger plan.
“A good organisation will do regular restore testing: they'll have immutable backups, meaning they’re stored off your own network. Having a basic plan written on paper is a starting point, because a lot of people have them stored electronically and then can’t get to them,” he said.
The goal, however, is to never need to resort to backups. Instead, the business should have a focus on keeping security strong so that attacks do not occur. O'Riordan said that considering a move away from traditional infrastructure can be part of this.
“Recovery is one thing, but what we have found is that the majority of attacks are on on-premise infrastructure. Considering moving to the cloud, even though it's a big step, can really help; and it includes a lot of business continuity features,” he said.
If an attack is successful, though, the work to get back to a clean starting point can be difficult. Indeed, internal IT teams may be fazed by a ransomware attack: they may even be so busy trying to figure out what happened that they don't have time to recover.
O'Riordan said that understanding security as being larger than a question of operational IT was essential.
“In my experience, especially in the last 18 months, people have come to realise there's a wider business impact than just IT. The IT element is really only the starting point,” he said.
“A lot of companies might not have budgeted for it, but I think cybersecurity warrants its own column rather than being rolled into IT.”
This can also be a way of addressing the fact that security professionals are in ultra-high demand, too.
“There's a massive skills shortage and smaller companies probably can't warrant full-time people anyway,” O'Riordan said.
After deciding to work with a managed security provider, then, the initial process of engagement is to understand business and where the exposures are, then to fix them, draft new policies and, finally, test it in a real-world scenario.
“We wrap it all up with a penetration test,” O'Riordan said.
O’Riordan said that no matter how fearful people were, the real answer was to start a process.
“They should reach out and not live with fear of the unknown. A start is better than no start,” he said.