Keeping the core resilience strong

Recent attacks have put security in the spotlight, but while attacks evolve and change, the fundamental strategy of resilience remains the same

Integrity360’s chief executive Eoin Goulding

The recent ransomware attack on the HSE has put the subject of security front and centre yet again. As a result, cybersecurity specialists such as Integrity360 have experienced a massive increase in inquiries from businesses that want to know how secure they are, whether they’re making the right investments and even where they start are asked by enterprises of all sizes.

The crucial point which Integrity360’s chief executive Eoin Goulding makes is that the HSE attack is public, whereas such attacks happen every week to the point where – to paraphrase the famous quote – there are three certainties in life: death, taxes and cyber attacks.

Businesses, then, need to be as resilient as possible and treat their digital and online security the same way as physical security.

“All you can do as a business is make yourself as resilient as possible. That’s the play,” Goulding said.

“If you look at a house, you can put a lock on, set up an alarm, put locks and bars on the window. It’s exactly the same with companies when it comes to cybersecurity.

“You’re never going to be 100 per cent secure, but you have to make yourself more resilient and make it more difficult for anyone to breach your systems.”

Doing so requires businesses to have processes, technology and their people trained up. All of which requires preparation in advance: knowing what you have and what you need to protect.

Some companies fail at this first hurdle. Goulding says a common theme in dealing with new customers is how they’re spending money on the wrong areas. It’s an unnecessary burden, as good security practices can positively influence all parts of a business, including the bottom line.

“They really need to follow a framework where they understand what the crown jewels are and protect that by having the processes in place and people trained,” Goulding said.

“Following a framework can make your company more profitable and more agile. If you have ISO 27001, you can make sure you’re getting the best out of your investments, as you know you’re spending it in essential areas.”

All of this comes back to continuous improvement, where you redefine your strategy to meet your needs. Much of this falls on the culture around security which may not be viewed positively in the company.

“Employees think security measures restrict them from doing their job, whereas it’s done to protect them, and allow the company to scale,” he said. “Embedding this positivity in the culture is the first key point, explaining why we have to do this.

“The culture is absolutely key, and it’s not a hard thing to do, as there are a lot of great e-learning platforms for cybersecurity training out there.”

But unless you’re a major company with significant IT security resources, the importance of having skills, expertise and help a phone call away cannot be overstated. Having a plan in place can be the difference when an attack happens, reducing the downtime from weeks to hours.

The challenging part is that businesses can set up for failure by not having the right processes, patching schedule, or even logs in place. It’s a weakness that can remain unknown until experts such as Integrity360 come in to do vulnerability testing and assessment.

“Cybersecurity can be a niche sector, but it’s so in-depth,” Goulding said. “For example, a lot of times customers are patching in the wrong areas so when we get involved and give them reports saying where to patch and when, they get a much better ROI.”

Integrity360 is the only Irish company included in the Gartner Research’s Market Guide for Managed Security Services, a sure sign that it meets the global requirements for offering important cybersecurity services.

One of these is managed detection and response, which uses threat intelligence to check if clients are exposed and protect them. It’s a way of ensuring that if a threat eludes the regular security controls, it will still be picked up.

Overall, there are significant benefits to having good security in place and by changing the culture and having the right plan and training in place, it will be a net positive for all.

“With security, 99 per cent of people have it in their head that it’s keeping you protected, but it can also save you money, reduce costs and make your company more valuable,” Goulding said.

“It can help win bids against your competitors, because now a lot of companies are putting out RFPs [Request for Proposal] and there’s a big piece covered about how secure you need to be when responding, because third-party risk is a huge thing.

“If you take the right approach, cybersecurity can use that as a competitive edge.”