Cybercrime statistics can easily be described as disturbing and horrifying. They reveal attacks and breaches that are expensive, intrusive, damaging and time consuming. Verizon’s research revealed that around 94% of malware was delivered by e-mail; the leading social engineering attack remains phishing; 39% of breaches were perpetrated by organised crime; and 71% were motivated by money. This landscape is further complicated by Covid-19, the sudden shift to remote working, and the introduction of new and unexpected vulnerabilities.
According to Jayson O’Reilly, GM of AtVance Intellect: Cyber Division, organisations have spent hundreds of millions of rand on technology, security operations centres and resources but few are verifying whether the money spent is being put to good use.
“Securing the enterprise is not just about purchasing new technology and moving the dial. It’s about taking existing investments and ensuring that they are delivering results,” he said. “There are so many organisations not getting value from their security investments and suffering breaches that they could have avoided. It’s critical to verify and validate any security investment on an ongoing basis to find the holes and plug them with proactive security measures.”
Existing security must be consistently tested, assessed and managed to ensure that vulnerabilities and unexpected risks are not creeping in, undetected. This is a common problem. An International Data Corp survey found that one of the biggest causes of cloud data breaches is misconfiguration of security. It also revealed that 80% of companies have experienced such a breach in the past 18 months and that both misconfigurations and the inability to detect access to sensitive data are two of the top threats facing business.
Validate, verify, adapt
“Are you more secure today than you were yesterday? How do you prove the value of the security investment if a threat actor breached your existing controls due to misconfigurations and process gaps? What vulnerabilities have arisen from the ashes of the pandemic? These are the questions that organisations should be asking,” said O’Reilly. “Checking for firewalls or antivirus protocols is how the business stayed secure in the 1980s and 1990s. It’s a different conversation now – today it’s doing the homework, validating the security is good enough to protect against cloud- and infrastructure-based attacks, and mitigating against potential fraud.”
In short, organisations need to be as offensive as possible. They need to take a proactive approach that hunts for the holes before the hackers do. This is particularly relevant now that many organisations have moved online and into new remote working paradigms thanks to the pandemic because a multitude of unexpected and unknown vulnerabilities have emerged. According to the United Nations, there has been a 350% increase in phishing websites and there are increased concerns around how organised criminal groups are targeting and exploiting new vulnerabilities.
“In mature environments, organisations are going on the offensive – looking for potential risks so that they know exactly what their gaps are now, rather than when they are breached,” said O’Reilly. “This is a far better approach than spending millions on security and then having to pay out for a ransomware attack and justify the costs and reasons to stakeholders. Over the past three months, leading organisations have had to pay around US$9.5-million to get the attackers to release their datasets. This is a cost few can afford at the moment.”
The moral of the story is simple – don’t wait. Get your business cybersecurity stress test as soon as possible. If the organisation can take a look at its people, process and systems from a risk perspective and adopt an offensive strategy, then it can spend money in the right places reducing costs and increasing value in existing controls. Consistent risk-based engagements plug those pesky security gaps and formulate a far better executive discussion.
Not all vulnerabilities are equal
“Not all risk is created equal and not all vulnerabilities are significant,” said O’Reilly. “This means that you need to work with a partner that understands the intricacies of security and how to capture risk and vulnerability in a single and secure net that protects your company holistically.”
Collaborating with a security-focused organisation gives companies the space and opportunity they need to ask the pressing questions that change the culture and approaches of its people and practices. Questions like: Am I more secure today than I was yesterday? How can we get the most value from our security investment? What risks and vulnerabilities are potentially impacting on my security posture? And who has access to my crown jewels, “organisational data”?
“The most important thing for any client is to determine if the risks warrant more investment or if they can adapt existing systems and infrastructure to solve problems,” said O’Reilly. “Covid-19 has changed this more than anyone can imagine. Most companies are still trying to figure out working from home securely. But, with the right partner, and a risk-based approach, coupled with constant verification and validation, your organisation will be prepared for what lies ahead.”
About Atvance Intellect
Atvance Intellect helps organisations attract new customers, optimise processes, and drive sustainability, profit and growth by assisting them to leverage their intellectual capital. Bringing together all the secure data sources that a company has at its disposal, we apply data to every question, decision and action, transforming it first into information, and then into actionable intelligence to maximise business objectives and goals. Our deep understanding of the data-driven technology landscape inspires us to find new and innovative ways of unlocking value, helping you better understand your business landscape and achieve your objectives. We take all your data points and sources and turn them into assets that can translate into growing a successful business. For more, please visit Atvance Intellect’s website.
- This promoted content was paid for by the party concerned