Managing the cyber risk

If one thing can be guaranteed in the world of technology, it is change. New systems replace or augment old ones, while users continually demand faster and easier access to data. From a cybersecurity point of view, of course, this causes a real problem: how can any organisation keep up to date in such an ever-shifting landscape?

According to Ross O’Donovan, enterprise account manager at Presidio, one of the most significant aspects of cybersecurity today is that the IT landscape itself is changing: as users, both internal and external, now interact with business services and IT estate in a new way.

“In the world where digital online apps are what people interact with, that's the front end these days,” he said.

However, this does not mean that the old faithfuls of cybersecurity, such as hardening the perimeter and ensuring a backup strategy is in place, can be ignored.

“Even today we would still say, the basics are still not being done. People are not as informed as they should be. Some of the most recent breaches we’ve seen were very much avoidable,” said O’Donovan.

One key to this is understanding the human element. After all, the best software and hardware in the world will not stop a breach if staff let attackers in.

Indeed, phishing and in particular spear-phishing where an individual is targeted, are often the easiest way for bad actors to get past security.

“Users, end users, are still a big issue. You're rushing too fast, an e-mail pops in and you click on it. Nine times out ten it’s fine, but the one time is the problem, and it can be serious,” O’Donovan said.

The answer is simple, but not easy: regular training.

“I don't think there's any new or sexy way to do it, but it does matter. A lot of enterprise customers are moving to ongoing training over the course of a year,” he said.

Targeted attacks are a key part of the threat today.

“For our enterprise commercial customers, generally it’s a targeted attack that they face: the technology and the processes do a good job getting the more general ones.

Generally it’s a zero day and something somebody's been working on for some time; perhaps they have a grudge to bear, or even a political agenda. However, the point is they are more knowledgeable than ever and more professional than ever – and they’re more persistent than ever.”

Understanding where and how a potential attack could occur is essential, O’Donovan said, and the first step in this is to know exactly what systems you are running, where they are running and what they are doing.

“In asset management, we still see a big gap. Organisations just aren't doing it right. It can be an onerous task to identify all assets, but it is necessary,” he said.

Indeed, IT alone is not the entirety of the so-called ‘attack surface’. As attackers and businesses are locked in a Manichean battle, cybercriminals are on the lookout for alternative ways in, such as connected machinery and internet of things (IoT) devices.

“The IT avenues are getting closed down so there is a growing focus on OT [operational technology]. OT is very hard to proactively protect as it’s hard to understand the implications of closing down a port, plus the software can be old and legacy, and the hardware generally is old and legacy.

Faced with all of this, today, fewer and fewer organisations handle cybersecurity internally. Faced with a fast-moving threat, high wages and a lack of skilled security experts, security has become too onerous a task for the vast majority of organisations. Instead, they turn to service providers like Presidio to assist them.

“I could probably count on one hand the number of enterprises that take care of it internally. The 24/7 model is very disadvantageous in Ireland and, yes, there is a massive skill shortage,” he said.

In Ireland specifically, while the HSE breach and ransomware attack certainly concentrated minds, awareness of security – and the significance of the threat – has risen in recent years, including at board level, O’Donovan said.

“There has been a general maturity over time in the Irish market,” he said.

However, businesses cannot just hand over the security function and consider the job done. O’Donovan said that boards should be aware that they are still where the buck will stop. As a result, a security service provider should be seen as more of a partner than a simple outsourcing operation.

“You can't outsource the risk. It's still their customer, it's still their data. They outsource the operational side of it, but they have to understand the risk – and that there’s a cost to it”.