Protecting what you know
Security is more than just prevention and, according to John Ryan of Zinopy, should be viewed through the prism of ‘predict, prevent, detect and respond'
It has been a time of change for Zinopy, which was acquired by Trilogy Technologies, one of Ireland’s leading independent ICT managed service providers, back in September.
The move has seen Zinopy take on a larger number of customers which its chief executive, John Ryan, says is down to businesses realising that security is more than just prevention.
“The industry is waking up to the fact that prevention on its own isn’t sufficient anymore,” he said. “You really need to go through the predict, prevent, detect and respond cycle to have effective security. The message must be going out there because organisations are beginning to realise that.”
To give one example of the threats businesses face, the average length of time it takes for a business to detect malware can be as long as 100 days. The number is dropping, with some suggesting that it’s now down to around 50 days but the problem is still the same.
If malware is sitting there, it will have a significant amount of time to steal information and give its creators the necessary information they’re looking for. Discovering and knowing your system is Zinopy’s philosophy, as if you don’t know it, you can’t measure or protect it.
“Even if it hasn’t done any damage to date or stolen any information, it has gathered a lot of information,” he said, “because if you detect and eliminate that particular infestation, it has all the information, you will need to do it again, so it becomes more difficult to deal with in the longer term.”
Since Trilogy Technology acquired it, the company has moved into the same offices and integrated many of its services with Trilogy. It also has helped define certain processes that Zinopy was working on and that Trilogy already had in place. Ryan says it is great from their perspective, as the company has been looking to develop additional services for customers.
“The service that springs to mind is privileged access management. We do things like vulnerability services and patch management services, which are key, but we’ve developed privileged access management and are beginning to bring it to market,” he said.
“That comes back to shared responsibilities and the keys to the kingdom. The one thing that hackers will do when they try to get into an organisation by malware or whatever, they’ll be looking for privileged accounts, ie, access to root and admin accounts”.
“Unfortunately they find it easy to access those credentials because they’re usually held in a spreadsheet somewhere, shared, or they use social engineering to get it, and the reason for that is that organisations don’t have the appropriate technology to manage their credentials”.
The challenges for many organisations, says Ryan, is to ask how they go about approaching security, where they get the skills necessary what technology is best and how do they deploy it.
Most of this can be solved by partnering up with a managed security service provider, who can go in to build and install the necessary services which businesses can later configure themselves. “It’s a key aspect because credentials tests about 80 per cent of all hacks involve admin credentials, so it’s a huge component of these attacks,” he said.
“[Also], the number of vulnerabilities identified last year was three times the number of vulnerabilities identified in 2016. Organisations have to protect against those, so they need the resources, they need the skills”.
Some businesses may believe that an attacker would ignore them because they’re smaller, but that can be a dangerous mindset. The impact of an attack can have far-reaching consequences and even if it’s just a financial one, that can cripple a small organisation.
“You might think, what would anyone want from me, but even things like chief executive fraud and getting your payments diverted to a different account [are damaging],” he said. “If you’re a small organisation and you lose €5,000 or €10,000 that way, that could have a huge impact, just like losing a few million for the larger organisation. We come across [situations] where a small organisation with seven or eight people in it ends up paying €50,000 or €70,000 into the wrong bank account because somebody has hacked into their email and that can have a devastating impact on an organisation”.
The stats make for grim reading, according to the National Cyber Security Alliance in the US, 60 per cent of small and mid-sized businesses that are hacked go out of business within six months. The message is clear, don’t neglect your security responsibilities.
“It has a devastating impact, more so on smaller organisations than big organisations,” said Ryan. “Big organisations have the momentum to overcome it, whereas for small organisations, if they lose their customers’ database, they lose their email, they lose control of your bank accounts, they’re gone.”