Cyber security is a battlefield. An alarming one. According to the Allianz Risk Barometer, the risk of a cyber security breach ranks higher than supply chain disruption, a natural disaster and even the COVID-19 pandemic. This is a reasonable concern, after all, 93% of networks can be penetrated by cyber criminals, there has been an increase of 50% more cyber attack attempts each week, and cyber attacks on companies shot up by 50% in 2021 alone. Then there’s the cost – Accenture’s State of Cybersecurity Resilience 2021 report found that 81% of organisations find cyber security a ‘constant battle and the cost unsustainable’ while 80% have increased their budgets. It is a battlefield soaked in the broken shells of hacked networks, successful ransomware attacks and tattered defences.
“This is why cyber security awareness month is so important. It creates visibility around the risks and complexities of cyber security and stresses the importance of taking proactive steps to enhance cyber security at home and in the workplace. It should form part of a long-term commitment to sustainable security that takes the four key elements of security into account – training, penetration testing, vulnerability management and EDR,” says Richard Frost, head of cyber security at Armata.
For the business (and its employees) perhaps one of the most important first steps is to assess vulnerability. This means understanding the full cyber-exposure life cycle and where the business has gaps in defences and holes in security and training. Often, vulnerability awareness comes hand-in-hacker with penetration (pen) testing where experts dedicate their time to finding their way into the business. It’s a smart collaboration as the two will help organisations gain a very clear picture of their cyber-exposure.
“Vulnerability awareness often comes out of a pen test and can form part of an ongoing process where you undertake consistent vulnerability assessments of your environment, and vulnerability management is the active hunting for vulnerabilities in software,” says Frost. “Both strategies should align with regular pen testing that’s focused on finding the vulnerabilities and gaps, and should absolutely form part of user awareness and training because user awareness is a key component of any cyber security strategy. People need to know why they are the first line of defence for themselves and the companies they work for.”
The email with the suspicious link from a trusted colleague. The phishing SMS scares the user into entering their personal information to solve a financial problem that doesn’t exist. The poorly designed passwords that anyone can hack and use. These are just some of the critical training touchpoints that should be constantly and consistently reinforced by training within the business. It won’t matter how sophisticated your cyber security products are or how innovative your defences are if Susan from Accounting just gave the company password to a phish.
“Your users need to know why they have to jump through so many security hoops and how each touchpoint protects them,” says Frost. “If they understand what the technology protects them from, and how it achieves this goal, then they will be more aware of the role they play and the importance of adhering to the rules and security policies. And, this will trickle down into their personal digital interactions and add even more depth to their security behaviours.”
None of these security elements stands alone. Pen testing supports vulnerability management and together they support training and all three together align to define the EDR implementation that best fits the business. Pen testing will highlight the vulnerabilities and areas where security is lacking, vulnerability management will look for the holes in the software that can be used to take control of a system and steal data, and training will potentially stop people from making expensive mistakes – like leaving the digital door open for anyone to come inside.
“Taking the analogy of leaving the door open a step further, vulnerability management is akin to leaving the windows open and a ladder beside them so someone can just climb in,” says Frost. “Now EDR and training are the equivalent of the security company – guards and systems designed to detect and protect. EDR is designed to detect application behaviour – if a programme is suddenly pumping information out onto the internet, EDR will react. It will determine the risk factor, such as malware, and stop the activity from continuing.”
If all else fails, EDR is the best and last line of defence. It is the final cell door slamming shut on dodgy digital activity, and combined with training, vulnerability management and pen testing, it closes the pincer movement on the enemy and redefines the organisation’s security.
“The reality is that cyber security now affects everyone, everywhere,” concludes Frost. “You can be a user at home, a crochet expert downloading patterns, or a high-end enterprise user and you’re vulnerable, you’re at risk. It is time for everyone to educate themselves on cybersecurity, and to embed awareness into their online activity because this is the best way to stay safe and mitigate risk, for the enterprise, the employee and the end-user.”