It’s possible to be too clever. Sometimes, in our efforts to combat increasingly sophisticated cyberattacks perpetrated by well-resourced hackers, we can become mesmerised by potential threats and pour all our resources into the latest security technologies – all the while neglecting the basics. By doing so, we are providing an open door for opportunistic attackers.
It’s easy to scoff at measures such as password hygiene and staff training whilst there are so many challenges organisations face and try to keep on top of such as disruptive tech, software changes, cloud migrations, data analytics etc. New security technologies and techniques such as AI and advanced behavioural analytics are important weapons in the fight against cybercrime, but on their own they won’t prevent opportunistic attacks by low-skilled criminals. It’s like investing in a top-of-the-range, IoT-enabled home security system, only to leave the front door wide open every day you leave for work.
This isn’t to denigrate advances being made in areas such as behavioural-based analytics or various identity access management (IAM) solutions and other useful tools in our security armoury. These are crucial weapons in the fight against hacks and other forms of cybercrime, but they shouldn’t distract us from the more mundane, less-celebrated and more-neglected tasks needed to keep our systems and networks secure.
Take patch management, for example. You don’t have to be a security expert to appreciate how delaying patching and other security updates is practically an invitation to hackers to try their luck against your corporate network. Yet recent research has shown that more than four in five breaches are the result of poor patch management.
It’s often said that cybersecurity breaches are inevitable, and it’s true that the skilled and determined hacker will always get through. That’s no excuse, however, not to take the basic precautions that will prevent many – perhaps most – attacks.
Because for all the talk about hacking collectives and state-sponsored cybercrime groups, casual and unskilled attackers represent just as big a threat. In fact, according to security research Mikko Hypponen, one of the biggest attacks of recent times – the DDoS attack in 2016 that disrupted corporate giants like Amazon, Netflix, PayPal and Reddit – was most likely perpetrated by “script kiddies”. His reasoning was that the attackers used code that was so basic, anyone with a passing interest in cybersecurity could have written it.
New technologies and approaches are key to combating the rise in cybercrime, and new techniques such as behavioural analysis are much better at identifying suspicious activity than older, signature-based methods. But just as it’s fatal to underestimate one’s enemies, so it’s dangerous to overestimate their capabilities to the extent of becoming lax with the basics of information security.
Remember, attackers don’t have any incentive to work harder than they need to; they are looking for any vulnerability in the network – a badly-configured firewall, for example, or a poorly-patched system. They also target human weakness, which is why phishing / spear-phishing attacks continue to be such a lucrative tactic for criminals.
If organisations overlook these basic areas of security, then no amount of security software solutions, advanced behavioural analytics or AI is going to prevent these intrusions from occurring. New security technologies and methodologies must not be allowed to obscure the continued need for practices that are proven to have a significant effect on cyberattacks. These include conducting rigorous and periodic assessments of security processes and effectiveness of controls, and fundamental practices such as the immediate removal of privileged accounts, rapid and thorough patch installation and updates, and training to prevent attempts at social engineering.
Moreover, there’s a dangerous misconception that the majority of IT workers are somehow more immune from phishing attacks; that their skill and experience in technology means they’ll be able to spot spoof emails more easily. That’s simply not true, especially as these attacks are growing ever-more sophisticated, for example through spoofing HR emails, or by clever facsimiles of HMRC / IRS tax enquiry emails. All it takes is one click out of the hundreds of emails these scammers send, and then the organisation has a major potential breach on its hands. Let’s not ascribe godlike omniscience to our colleagues in IT, who can be just as fallible as the rest of us.
No-one looks forward to the prospect of conducting a security maturity assessment with glee, but this is nonetheless a critical undertaking for any organisation that values its (and its customers’) safety. Similarly, reviewing disaster recovery and business continuity plans are crucial for minimising the impact of any breach that does occur.
By all means invest in the latest generation of security tools, but don’t think that these technologies free you from the fundamental work of reviewing your entire security estate, patching quickly, managing identities and permissions, and training all employees – even IT workers – in how to spot and report phishing attempts.
There will be no end to the eternal war against cybercrime, but there can be victories for those prepared to fight it. Every breach defeated is a battle won, forcing cybercriminals to expend more time and resources to developing new tools and techniques to infiltrate their targets. Conversely, if we make things easy for the hackers it will free them to launch even more attacks, and encourage others to pursue such a lucrative and risk-free activity.
By following the basics of cybersecurity – while continuing to deploy the latest advanced technologies – we can not only help to protect our own organisations, but the whole business ecosystem too. That, surely, is the cleverest way to wage the war.
Vinnit Patel, Head of Cybersecurity & Risk Consulting, Infosys Consulting UK
Image Credit: Maksim Kabakou / Shutterstock