Cyberattacks are asymmetric in nature with the perpetrators operating in a similar fashion to guerrillas who operate from undercover and check for weaknesses in a richer and more powerful adversary. That makes it much more difficult for organisations to defend against them – the cybercriminals only have to get lucky once; the defenders have to be lucky all the time. The question for organisations is how in these circumstances can they assess their vulnerabilities and determine their cyber risk exposure.
Fortunately, that doesn't mean an organisation needs to secure every single system. "You don't have to fix all the vulnerabilities," says Eoin Keary, chief executive of cybersecurity specialist firm Edgescan. "You need to understand what you're trying to protect. It's a question of fixing the systems that matter most. Some systems are super important and spell big trouble for organisations if they are hit. That means identifying your most important assets, the systems which are the oxygen for the business. A lot of businesses don't ever do that and that leads to vulnerabilities."
He also advises companies to use automated security systems where possible. “It is faster and helps you keep pace, but you can’t rely on it,” he adds. “AI is still in its infancy. If you are using it against a determined human adversary, you won’t win. The human will always win in the end because they are cleverer, more inventive and more imaginative. Automation does the donkey work, but the human looks deeper.”
Problem
Huawei chief security adviser Colm Murphy believes action must be taken at the very highest levels. "Cyber is very much a board-level issue," he says. "I don't think it's any longer acceptable for a company to say it's an IT issue or someone else's problem. It's a critical risk-management issue. It would be unthinkable for a board member not to be financially literate. It should no longer be okay for board members not to be cybersecurity literate. The cyber response needs to start at the very top."
He explains that Huawei has a global cyber security and privacy risk committee chaired by a board member who reports directly to the chief executive. “It’s a top priority for the organisation,” he adds. “We are in the unique position that we are scrutinised probably more than any other company in the world from a cybersecurity point of view. That sets the tone for the rest of us. That’s really where it begins.”
Carolyn Drury, global security marketing manager with Hewlett Packard Enterprise, advises companies to identify and prioritise risks and set up a mitigation and action plan. "Once your assets are identified, identify what could become a target," she says. "For every asset, map out possible threats, the nature of the vulnerability, such as a poor system or software patching, which asset the vulnerability applies to and the impact that a breach could have on your business operations."
Prioritising risks involves assessing all potential vulnerabilities in a matrix to determine the likelihood of the asset being targeted. “That should be cross-referenced with a rating that determines the potential severity of the impact on business operations,” Drury adds. “This will allow your organisation to determine the assets that need to be prioritised.
“It is important to have an intelligence-driven approach to the protection and defence of your assets,” she points out. “By using a defined cyber kill chain, organisations can determine the stages of a cyberattack that may target their assets to identify likely vulnerabilities and provide them with a well-documented risk mitigation plan for each asset that determines what action should be taken to stop the attack at every stage.”
The best way to assess how vulnerable your defences are is to test them, according to Brian Murray, enterprise account executive with security software and hardware company Sophos. "This is called 'penetration testing' and if you don't have the tools or resources in-house, there are many organisations with the expertise to help. If you've been hit and don't know how to contain the impact, investigate or shore up your defences, or want help monitoring your network so you can reduce the likelihood of it happening again, there is specialist incident response and threat hunting help available 24/7 from security vendors."
According to Sarah Hipkin, head of technology consulting with Mazars Ireland, many organisations opt to obtain assistance using professional services firms, such as hers, to support them with identifying their cyber security organisational and technical gaps, risks and other issues.
“The assessment may be against an industry best practice security framework such as the NIST (National Institute of Standards and Technology) or ISO27001 standard,” she points out. “The key aspect is for an organisation to identify its most critical information assets, and to understand where any potential vulnerabilities exist, which must be addressed as a priority. We also perform digital footprint, security vulnerability and penetration testing services of networks and digital and cloud technologies to assist with risk-based assessment.”
‘Day zero’ attacks
Hardware, software and the human element must all be addressed, says Karl Duffy, head of enterprise and public sector with Three Ireland. "It is critical that companies have a clear view of the hardware and software applications that exist within their business that may have the potential to create a cyber risk. Are they being patched and maintained to an industry standard? A customer should talk to their existing providers and ask these questions, and also ask questions around what device, for example, mobiles, and sites, links etc are being used for work and may not have security. It is really important to identify a technology partner that understands the threat landscape and is proactive in mitigating 'day zero' attacks before they have a chance of accessing your business or organisation."
Companies should also have a clear view of where the weakest link lies, Duffy adds. “Through Covid-19 and the increased dependency on remote working, the ‘connected boundaries’ of an enterprise extend well beyond the physical infrastructure of their businesses,” he explains. “How employees and customers engage digitally with your business creates new opportunities for cybercriminals to test the boundaries of your organisation. Companies should ask themselves what steps are being taken to mitigate those risks.”