Staying secure in an era of rising costs

If every business today is, as the cliché goes, a technology business then they are also subject to the threats technology brings, from breaches to ransomware and extortion. Indeed, rare is the business today that isn’t aware that IT brings with it some very severe vulnerabilities. But in another sense, most businesses are not really technology businesses: IT is there to support operations, not to become the centre of them. As a result, IT can rapidly become a cost centre, something that is even more of a problem today than ever before.

The question is: with inflation continuing to bite and businesses seeking to reduce costs, is there an obvious strategy for managing cyber security? Gerard O’Connor, security and networking architect at Triangle, recommended working with a security managed services provider, as they can offer scarce skills and do so without capital investment.

“Aside from there being a general ongoing shortage of tech staff, it’s a very difficult market for hiring security professionals right now. During lockdown, tech staff were hoovered-up by the Amazons, Microsofts and so on, and even though that has now reversed, with staff becoming available, they are not necessarily security specialists,” he said.

But even if businesses can find security professionals, and pay the high salaries they command, running a dedicated cyber security response operation is itself a major financial commitment.

“Most businesses are trying to drive down costs. It’s all right for large organisations – insurance companies, banks and so on – who have the resources to build up their own team, but most organisations are not in that position,” O’Connor said.

Indeed, if a typical enterprise has an IT department it will rarely have special expertise in security, because keeping the lights on is enough of a task. This results in businesses rapidly falling behind.

“IT security in most organisations is just a part of IT, meaning the IT does it. Some organisations are now talking about having a cyber person, but a lot of the time that is more of a consideration at board level,” he said.

Board-level understanding of cyber security is to be welcomed, of course, but this alone will not address the rapid changes in today’s IT, and indeed threat, landscapes.

“People who understand it are constantly looking at threat maps. Now that essentially 60 per cent plus of organisations have a cloud presence of some kind, and 80 per cent of them are multi-cloud, you are faced with two different platforms that are totally different and have different controls,” he said.

The enemy of good

O’Connor is not advocating for perfect cyber security because, he said, such a thing does not exist. Indeed, as the aphorism goes, ‘perfect is the enemy of good’, so businesses would be well advised to work on improving their security on an incremental and ongoing basis.

“There is no such thing as being 100 per cent secure. You can have all of the processes and controls in place but there can be a new vulnerability discovered,” he said.

This is why working with a security partner is so advantageous, O’Connor said, as they will be continually investing in hardware and software as well as high-skill professionals.

“You’re always going to have risks, but nobody wants to be the organisation that gets breached and is in the news. Nobody wants to be the CEO or CISO where there is a breach on your watch,” he said.

Typically, a managed security provider will help to avoid this nightmare scenario by having a 24/7, so-called ‘follow the sun’ operation, meaning the network will be guarded even when the business is closed – a favourite time for lurking attackers to launch their encryption.

“You can pick up, essentially, the Batphone, and be talking to an analyst who will be calm and measured,” said O’Connor.

Given that the average downtime due to a ransomware attack is now 21 days, this matters very much.

“If you were down for this long, what is the impact to your business of being down? There’s a huge cost to that, financially and reputation-wise,” he said.

Choosing a managed security service provider is itself a task that requires consideration, but O’Connor said there are simple questions to ask.

“For a start: do they understand your business? Do they get you? Do they seem honest?”

After that, they should make their processes and technology clear, including performing a technology estate audit.

“It [security] is both process and technology. It needs to be someone managing the network, taking your logs, analysing them and flagging up problems, scanning for vulnerabilities. If you don’t have visibility into what you have, you don’t know what your risks are,” he said.

They should also go beyond protection and mitigation, he said, and provide services that actively prevent attacks.

“You don’t just need protection, you need prevention. This is something that needs to change in the mindset: prevent the attack, prevent malware. Your managed security service provider should be able to tell you there was an incident, but that it was stopped. That’s a better place to be in,” he said.