Growing sophistication of cyber crime requires businesses to respond accordingly

Antony Russell, chief technology officer, Telviva.

---

It would be fair to suggest that most people are tired of hearing about cyber security – not because they don’t see a need for it, but because they accept that cyber crime is a serious issue and a massive risk to their businesses (and personal digital lives) and they’ve already accepted that they must do something about it.

However, it’s not good enough to take a “been there, done that'' approach. The plain truth is that we can never hear enough about cyber security because, rest assured, criminals are working around the clock to uncover new vulnerabilities. A “day zero attack” focuses on a previously unexploited weakness, and until that vulnerability has been mitigated, there is an almost unimaginable potential for harm, especially if the software is widely used. This means that unless we constantly make time to focus on cyber security and keep it front of mind, it's conceivable that we could drop the ball on implementing patches or updates, leaving a fresh vulnerability like a flashing red light attracting criminals into our organisations.

One may argue that this sounds alarmist and a bit like doomsday commentary, but imagine this scenario: one of your employees receives a notification on his or her laptop to update to the latest version of a software application. This update contains important upgrades to mitigate vulnerabilities. However, he or she is chasing a deadline and so mutes the notification. And then does this again, and again. At some point in the future a nefarious threat actor is scouting the environment and finds the open door to your system. Despite all your efforts, the backdoor was left open by an employee who had not had cyber security front and centre of their mind.

The above scenario is far more common than one would like to believe, but despite that, there is an overall impression that from a South African perspective, we are catching up with the rest of the world. While we have made good strides as a country, there are still obstacles – not least the pain of a non-revenue-generating department being thrust upon the board.

Even if a business decides to outsource its security, it still needs some degree of skill within its walls. Before, it was normal to do what we thought was best and then hope for the best. Now, there are industry standards and best practice protocols that have been imposed on businesses across industries. Adhering to this costs time, money and resources. While it is a department or investment that does not generate revenue, without investing in it, a business’s ability to generate any revenue at all may well be at risk.

This is a difficult pill to swallow locally, as it does not come cheaply – that’s if the scarce skills can even be found and retained. A small and medium business will soon realise that it needs to increase its headcount by up to five people. A larger organisation will be looking at closer to 10 new staff.

In addition to this, a theme that has gained momentum over the years is the movement towards zero trust. This is all good and well, and certainly suits some organisations better than others – such as large corporates – but there has to be an educated balance between security and usability. The only real zero trust environment is analogue because air-gapped processes are the only ones guaranteed to be out of reach of cyber criminals. Once you plug in, you must realise that you may well be taking all the vitamins possible but the risk of infection remains.

If we return to our scenario of the employee that did not update their system, we land on an important theme: the majority of breaches and hacks are likely avoidable. A day zero hack triggers a flurry of responses until there is a patch or update to prevent it from happening again – which is when the threat actor moves on to find other weaknesses.

A very small proportion of vulnerabilities are responsible for most of the exploits we read about. For example, a well-publicised ransomware attack may be the ultimate outcome, but it would most likely have been achieved through one of a small set of vulnerabilities that had not yet been patched or corrected with an update.

The first certainty, for 2023 and beyond, is that threat actors will continue to seek out vulnerabilities. The research and development teams of the criminal underworld are hard at work and we must appreciate that they share their exploits and communicate broadly about the best ways to attack. This collaboration speaks to a sophisticated criminal community and this co-ordination feeds an ongoing increase in ransomware attacks.

If we understand that, then our single-biggest concern going forward will be how we deal with an increase in sophistication. It does not matter which means are used by the criminal, or which vulnerability they look to exploit. We’ve been lucky so far in that scams such as phishing e-mails have had clear telltale signs – be these grammar, timing, interface, obvious links and more. However, with the strides in technology, and artificial intelligence in particular, it is conceivable that soon it may be nearly impossible to differentiate between a legitimate e-mail from your bank and a scam.

And so what does one do? Businesses – and individuals – need to understand the overall attack surface. Everyone must understand what is vulnerable: are we on top of all the PCs, laptops and mobile devices? Do we know which VPNs or services are available?

Once a business fully understands its attack surface and has mechanisms to keep that understanding up to date, it is a good idea to make use of third parties who can run penetration tests and vulnerability scans. Get to grips with your cloud security obligations (or collaborate with a partner who can help you). The cloud provider is responsible for the security of the cloud infrastructure, but whatever you use in that environment is your own responsibility. Stay on top of it.

In a recent article, I spoke about the importance of ongoing user education and digital hygiene. As cyber criminals become more sophisticated, these habits become more important than ever before. For instance, it is inexcusable to run software that has not been updated with the latest patches; there must be constant threat monitoring; multi-factor identification is non negotiable; firewalls must be managed properly; and much more.

And then, while considering the balance between security and usability, all organisations should be moving along the continuum of a zero trust strategy. Ultimately, each and every user is responsible for security. So alongside investments like a dedicated security team and the assistance of third-party partners, ongoing user cyber crime education and awareness strategies will remain some of the most important investments for any business.

Ensure an excellent experience for all your cloud-based services with fast, stable network access and managed firewalls. Telviva's vendor-agnostic approach gives your business the most appropriate access network solution for your needs, with the broadest choice at the best price (equivalent to going direct) and maximum supplier redundancy. Contact us today.