Getting your cyber security fully in place
Business owners need a partner who can take decisive action on cyber security threats
The global skills shortage in cyber security, which is now in its sixth year, has had an unfortunate effect on business IT: due to a dearth of candidates, many enterprises large and small are not able to secure their own IT estate.
Into the breach, or rather helping to stop breaches, has stepped managed cyber security.
“A lot of businesses might think that they can do it themselves, but really and truly there's a certain type of engineer who is required – and even a certain type of mindset. It’s a different field of IT, and it’s also a frame of mind,” said Daragh Naughton, managing director of cyber security and cloud specialists Sleepless.
Indeed, an IT team within a business is naturally focused on day-to-day issues such as applications and hardware, leaving little time to research threats or the technologies and policies to counter them.
“Cybersecurity really is a different ball game,” Naughton said.
The skills shortage is not the only issue, then. After all, keeping up to date with the latest in security is a full-time job in itself. Sleepless also partners with Microsoft’s security threat intelligence centre (MSTIC) to keep on top of threats.
“IT moves fast, there’s no doubt. All our engineers have been on courses multiple times this year alone, but with cyber security even the courses can’t come fast enough so you need to be constantly researching, tuning into blogs, looking at the latest vulnerabilities,” said Naughton.
All under one roof
An increasingly popular option is for businesses to engage with a managed service provider to operate a fully-managed security operations centre (SOC), which can respond to threats with decisive action.
“This whole idea of SOC is important. We’re seeing increasing take up of managed SOC services which can provide 24/7 coverage with all user accounts monitored and in the event of a vulnerability it's not just an alert, it’s action, and that’s key,” said Naughton.
The premise is simple: rather than being bombarded with pinging alerts, the SOC eliminates the threat and produces a report and record.
“Does a business owner really want to be getting alerts about cyber threats? No, they don’t, they want to get things fixed,” Naughton said.
Sleepless works with companies from five-person SMEs right up to major enterprises with thousands of seats and Naughton said that one of the real benefits of managed cyber security was that it makes security available across companies of any size.
“The good thing about that is that, even if you're a small company you can still have those cyber services in place,” he said.
In Ireland today, Naughton said, there is a growing awareness of the importance of securing crucial business devices, networks and, ultimately, data. Recent events have played a role in this.
“Certainly, hybrid working always brings up the case of cyber security, and also the HSE attack has brought cybersecurity to the front of mind for many businesses, though unfortunately there are still some who just think ‘it won't happen to me’,” he said.
To those businesses, Naughton said the message needed to be got out that ‘hackers’ today are serious criminal enterprises. As a result, many businesses do get breached and, in the end, are forced to pay up, but this can be stopped in its tracks.
“It’s a business, a criminal one but it’s absolutely a business and part of the business is to be ‘trustworthy’. If you’re breached, the choice will be: ‘Are we going to be able to continue running our business, and what is the cost of having several days of downtime? What about lost contacts?”
First steps can be taken, however, and a managed cyber security provider will immediately work to protect the business.
“The main area where people get caught is identity theft, so protecting your online identity is key: having good password hygiene, multi-factor authentication (MFA) and even requiring hardware keys for logging in”.
Interestingly, this could mean ending what has become the bane of working, and even personal, life for many people: tedious password management. After all, if secure hardware keys coupled with analysis of the connection and MFA can be used, passwords will become redundant.
“We have a policy in our organisation that includes 'passwordless' as an option. It uses trusted devices for MFA. I do think that over the next few years passwords will be eliminated,” said Naughton.
Even if passwords are kept on, they can be combined with surprisingly sophisticated ‘conditional access’ and ‘zero trust’ tools and methodologies that can respond not only to purported identities, but even to specific scenarios such as staff travelling abroad on business.
“Zero trust does thread into that, because when you implement it, it means you need to have MFA to start. The system doesn't trust you and it asks who you are, it checks where you are and, via conditional access, can check these kinds of variables: ‘you're in France, you're on a company laptop and you're using a company phone, so I trust that’, but if it’s ‘You're in Australia, not using a company laptop and trying to log in from a cafe’, it won't let you log in even if you have the right password,” he said.