As anyone in the industry will tell you, there is more to cybersecurity than simply information technology: human factors are the main vector for attack, and, in the world today, the technology is the business.
Paul Casey, chief operations officer at Paradyn, said that with its security service practice, the goal is to help its clients with a holistic and best-practice framework to secure business assets and resources.
The bulk of Paradyn’s clients are in the government and enterprise sectors, both areas in which cybersecurity has shot up the agenda of management.
“From an IT or cybersecurity point of view, they tend to be more sophisticated than a mom-and-pop shop on the corner and would tend to have some level of internal IT, whether it’s focused on infrastructure or even has some focus on cybersecurity,” he said.
The company works with its clients to understand the business, where and how it is exposed to threats and then from there develop a strategy for keeping things secure.
Even organisations at this level where security has never been skimped on have had to learn lessons of late. And it is a tale that will be familiar to just about everyone.
“The last 18 months have put the focus on cybersecurity so much. Working practices have changed. Previously, most organisations had everyone inside the castle. Yes, you had some remote workers on the road, but generally you had a lot of control. Then a switch was flicked,” he said.
With the shift to remote work, new opportunities were created not only for businesses to move online and workers to consider relocating, but also for criminals seeking to profit from confusion and uncertainty.
The organised crime aspect of cyberattacks is what is truly different from the past, when hackers worked for bragging rights or simply to be a nuisance.
“Cybercrime is a business and a lot more money is involved [than before]. You can contract and hire ransomware organisations and split the profits. Frankly, it has been commodified,” Casey said.
The rational response to this world of professionalised crime is to accept the arms race is going on and to respond with equally professional countermeasures, he said. However, this requires more than throwing resources at the problem. Instead, the first step is to understand the risk.
“Obviously everybody is worried about ransomware, but it’s at the end of the process. It’s what happens after someone has given away credentials, clicked on something they shouldn’t have or something hasn’t been patched. We’re looking to take a step back and take a deep look at the business.
“It’s easy to get caught up in thinking ‘there’s a shiny firewall I need to buy’ or ‘I can get this software, but, ultimately, cybersecurity is a much wider thing. It’s about company culture, it’s about leadership, and it’s about business processes. A lot of cybersecurity is about getting the boring stuff right,” he said.
Casey recommends businesses look at the Center for Internet Security’s list of Controls, version eight of which is now available free online.
“CIS Controls is a set of best practices, and it forms part of what we use to identify, develop, validate, promote and sustain best practice solutions for cyber defence,” he said.
Paradyn uses a three-stage ‘gap analysis framework’ derived from the CIS Controls, during which it reviews clients’ IT infrastructure estate in order to chart the gaps in not only systems, but also processes and policies.
Casey said that the question of people and processes was too often ignored: “You do need the server guys, you do need the firewall people, but you also need to get the business processes right.”
Of course, with remote working the question of processes becomes even more urgent.
“If you look back ten years ago, what were you securing? You had on-premise users and an on-premise e-mail server, and possibly an on-premise database server. Now you have cloud to manage, possibly multiple ones, plus people all over the place, then the CEO comes down and says they want Outlook Anywhere or Office 365,” he said.
From inventory and control of hardware and software assets up to penetration testing, the right controls help protect organisations, and they also enable compliance with measures such as GDPR.
GDPR, though, is not the be all and end all of data, and issues such as intellectual property should be in the frame.
“GDPR is good, as it brought great emphasis on data, [however], the thing that I talk to companies about is that GDPR is concerned about PII [personally identifying information], but there’s more to data than PII. A lot of organisations put a lot of work into GDPR compliance, but it stops there,” Casey said.
“Cybersecurity is not just three things, it’s a thousand small things,” he said.