There’s no shortage of examples of businesses being targeted by attacks, mostly because of the number of vectors open to attack increasing. Businesses now have to protect the likes of cloud environments, mobile devices, trusted third-party applications and mail platforms from bad actors, and it’s not getting easier any time soon.
For every new element added to a business, a strategy to protect it must be put together. However, this is where quite a few businesses fall short. A recent white paper from Check Point found that throughout the first half of 2019, 90 per cent of the attacks observed leveraged vulnerabilities registered in 2017, while over 20 per cent of attacks used vulnerabilities that were at least seven years old.
All of this highlights a significant problem where businesses’ security measures have not kept up with the range of technologies they use.
As a result, companies are not adequately prepared to protect themselves against current and old threats, let alone new ones coming down the line, according to John Ryan, chief executive of Zinopy.
“While new stuff is coming down the line, all of the old stuff still has to be protected against,” he said. “You can’t just assume it’s all protected and then move to the newer stuff; you need to continually hark back to the old stuff while looking at what’s coming down the line. That’s where people have fallen.”
In some cases, it’s not even a case of falling behind with the range of technical solutions, it’s also down to the mindset and continuous investment being put in.
To highlight just how bad it can be, Check Point breaks down attacks into generations. The first beginning in the late 1980s with standalone PCs targeted, while the second began in the mid-1990s where attacks from the internet led to the creation of the firewall.
The third generation started in the early 2000s where application vulnerabilities were exploited. The fourth generation saw the rise of targeted, unknown, evasive and polymorphic attacks affecting most businesses, while 2017 saw the current fifth generation begin with large-scale, multi-vector, mega attacks using advanced attack tools.
At the moment, Ryan said most organisations are protecting against generation 2.5 at best – desktop and web –when the attack surfaces have increased to include mobile, cloud and Internet of Things (IoT). With 20 billion IoT devices connected at the moment, they’re already a major target.
That’s where the challenge lies as not many businesses understand the threats faced. Nor do they know how they’re attacked or where they’re attacked from as they’re not monitoring their systems effectively.
While traditional security logic breaks companies down into two categories - those who have been attacked and those who don’t realise they’ve been attacked – Ryan sees a third category: those who will be attacked again.
The other reason businesses are not safe is down to security being tacked on instead of being built from the ground up. The concept of security by design has not been quite grasped yet, and the trajectory of any new service popping up follows the same route: people start using it, it gets attacked and then security measures are put in place.
“What’s happening is the same with cloud,” said Ryan. “Organisations say they need to move to the cloud, they do that, find they’re under attack and then they have to retrofit it. We’re not building in security by design.”
“Often organisations put their stuff on the cloud and think they’re safe as they’re secure platforms. But there’s a shared responsibility model where the platform owners will say, ‘we’ll protect the platform, but you’re responsible for your applications and your data’. Often [security responsibilities] fall between two stools.”
In Zinopy’s case, the company has been keeping up with the threats by continuously investing in its security operations centre. Trilogy Technologies recently acquired the firm, helping to double the size of the organisation and giving it more scope.
On top of that, Zinopy’s partnership with Check Point gives it a greater ability to see what’s coming down the line, giving it a proactive approach rather than reactive.
“More threat intelligence is available to us, which we can use then proactively to secure our customers’ networks,” said Ryan. “It’s about the investment, giving visibility of what’s happening out there and being able to act in a very timely fashion.”