Blog post -
Helping SMEs to zero in on the risks
The rapid adoption of technology is a commercial and organisational imperative for every business in every walk of life. Over the last twelve months, both public and private sector organisations have accelerated their digital plans, with Microsoft CEO, Satya Nadella being quoted as ‘seeing two years’ worth of digital transformation in just two months within the organisation.’
From a cyber security context, the implication of this rapid change is a rapid proliferation of existing risks. So, while staff have had to adjust to new tools to deliver their objectives, from video conferencing through tonew VPN connectivity and new cloud-based versions of office productivity applications, threat actors have come up with creative new social engineering solutions, phishing processes and ransomware variants. They have also exploited what might previously have been low-value vulnerabilities to pivot into positions of privilege.
In part, this has been made possible because organisations had to move so rapidly to provision locked down staff that some risk management processes were suspended or deferred – something that we refer to as a compliance debt.
What can organisations expect in 2021?
To cope with the rapid scaling up of technology adoption, an increasing number of organisations turned to automation within their security domains to keep pace with the risks that technology adoption brings. In turn, this requires more specialised personnel to handle the processes, control the technology and support the organisation.
- Skills shortage
A recent industry report from training and certification body ISC2 estimates that there is a global skills shortage equating to a need for four million more security professionals, meaning organisations either compete for the best or develop their own people from scratch and accept inflated risks until they can catch up.
In addition, regulation such as the EU’s GDPR and NIS Directive, and industry regulators such as the FCA provide a raft of rules and guidelines on handling personal and non-personal data, with substantial penalties imposed for failure to comply. A change in the law in Scotland in July 2020 facilitates data class actions of the type seen in recent high profile cases. All of this substantially increases complexity and risk, and is unlikely to be the last word on the subject.
Risks are increasing daily with the accelerated mass adoption of technologies, surging data volumes and increased sophistication and numbers of bad actors.
What’s the solution?
Traditionally, the single solution to these issues would be to outsource automation and resource upskilling to a managed SOC (Security Operations Centre) at a cost, which means it only makes sense for larger organisations to manage their risks in this manner.
For those businesses across the world that fit into the small to medium category, and simply do not have the resources or finances to invest in such a service, there is the need for a more tailored solution which meets their requirements.
A key tenet of doing more with less is prioritisation: when budgets are tight, CISOs have to get used to doing the same, or more, with less. Unfortunately, this is the worst time to be cutting security spending. Research from Portsmouth University has revealed that fraud rises during recessions, often linked to an increase in ransomware and other potentially lucrative attack methods.
What can businesses do?
Now is a perfect time to revisit and re-evaluate the decisions that were made when the transformation began to accelerate.
- Basic security hygiene – as always, credential management, multi-factor authentication and patching has to be a priority.
- Ability to detect and respond to attacks – threat detection and response is a priority for most CISOs because they recognise that the faster a breach is detected and dealt with, the easier and cheaper it is to fix.
- Having an incident response team and a robust plan can go a long way when it comes to saving an organisation money. In 2019 the Ponemon Institute report said ‘having both in place could save a firm $1.23 million per breach’. This year, Ponemon suggests that having both in place ‘could save an organization $2 million; $5.29 million without either vs. $3.29 million with both.'
- Deploying security automation technologies can help too; organisations without security automation experienced a higher cost, by $3.58 million, than those with automation deployed.
Managed Detection & Response
While there are many powerful technologies available to assist with detection and response, real expertise is required to squeeze the greatest value from them and skilled security professionals are in demand, which makes recruitment expensive and difficult.
In this climate, it is not surprising that managed detection and response (MDR) services are taking off in a major way. Gartner estimates that by 2024, as many as 25% of all organisations will be using MDR services.
MDR combines multiple layers of defence to keep an organisation’s systems and critical data safe from cyber threats, offering achievable price points to the public and private sectors.
Driven by a unique, human-led approach, threat intelligence, 24/7 monitoring and incident response are combined to put an organisation on the front foot when it comes to hunting, detecting and responding to cyber threats.