Cyber security: Proactivity versus reactivity

Peter Yapp, former Deputy Director of UK's National Cyber Security Centre, explains why cyber crime prevention is stronger than the cure

The harsh truth of cyber crime is that, unless an organisation is the direct victim of a cyber attack, they tend to not take much preventative action. The ‘it won’t happen to me’ syndrome is a risky attitude to take, particularly considering the increasing scope of cyber criminals. As technology evolves, so do their targets, tools and techniques for exploitation.

It’s why businesses have to establish robust safeguards and defences to halt threat actors in their tracks. It’s why, in the murky and treacherous world of cyber crime, prevention is always better than the cure.

Time to take cyber security seriously
For many organisations, the starting point for cyber defence is to examine the potential threats directly facing their company. Unfortunately, this all-too-common attitude invariably leads to the illusion a false sense of security. So many current cyber breaches are a result of collateral damage from an attack on another organisation or stumbling across a vulnerability in your organisation by chance and exploiting it.

In many cases, cyber attackers start by scanning the internet for known vulnerabilities, preying on and exploiting the weak and easiest to access. Every vulnerable organisation can become a target (and there are many out there) and this throws the threat focus on its head.

It means organisations should not only focus on shoring up their immediate vulnerabilities, but should be interrogating the potential ramifications of breaches to vendors, partners, clients and, especially, their supply chain.

Supply chain remains a cyber security weak link
The software supply chain has increasingly become an alluring target for cyber criminals, with attacks increasing by 78 per cent in 2019. It has evolved into a global issue that requires an international solution to mitigate.

Every member of the supply chain must play their part. After all, one weak link is enough to break the entire chain. It’s why organisations must not only regularly patch their own software, but also stay firmly on top of their third-party suppliers. Most companies probably know who handles their data processes, but are they aware who has access to their air conditioning units? Do they know how much network access the organisation who handles the physical security of their building has?

Once organisations begin to build a map of their supply chain, they can begin rating suppliers based on their level of access to your network. It sounds simple, but you’d be shocked at how many companies don’t exercise these basic levels of protection.

With high-risk suppliers (who have greater access to your network), organisations can then begin penetration testing to evaluate the security of their systems. Of course, this depends on whether your contract allows this, so consider including penetration tests in any new agreement with third-party suppliers to ensure this can be easily done in the future.

For both high and lower-risk suppliers, carry out regular vulnerability scans and make sure that all suppliers are, at the very least, contractually obliged to notify you when a breach occurs.

Learn from others and accept that mistakes happen
Even the most sophisticated IT teams will make mistakes every now and then. It’s exactly the moment cyber criminals yearn for: just one crack in the armour, and they can infiltrate an entire system and do untold damage.

Even if you’re not the direct victim of such an attack, you should be learning from others mistakes and applying those learnings to your own defences. Organisations should be proactively protecting against every hacker and every common kind of attack.

And, if a breach occurs and it’s not immediately noticeable what impact it’s had, don’t make the mistake of brushing it under the carpet. Many cyber criminals will covertly infiltrate a system, and lie in wait until a commercial opportunity arises that they can exploit.

Pray for the best, prepare for the worst, and expect the unexpected
The biggest misconception about cyber security is that the perfect set of impenetrable defences exists, somewhere out there. Companies must accept that they can’t prepare for everything, but instead should adopt plans that allow for agility and rapid response.

It’s why incident response plans should always be prepared with the worst case scenario in mind, regardless of whether the attack is a direct breach, or an assault against a third-party supplier, vendor, or partner. While many companies run penetration tests every six months (or even just once a year), this only provides a snapshot, so it’s essential to carry out vulnerability scans on a daily basis.

By making these scans and practices a routine part of normal business operations, organisations are infinitely better placed to understand what the attack surface looks like and where potential weaknesses lie.

Peter Yapp