Cyber-attacks cause very real and tangible damage to businesses, not only in terms of financial losses, but in terms of damage to reputation.
Risk management is one factor in the prevention and mitigation chain, as it is essentially the forecasting and evaluation of risks, as well as the identification of protocols and systems that can be used to minimise their impact, or avoid them completely.
However, this discipline is extremely hard to apply to the risks caused by the myriad cyber threats out there, as they are hard to define, harder to prevent, and it is almost impossible to accurately assess the cost and damage of a breach once it has taken place.
So says Lutz Blaeser, MD of Intact Software Distribution, adding that outside of the technical department or CISO’s office, not many people in the company have a clue when it comes to understanding the very real risks posed by cyber criminals out there. “Because there is this disconnect between technical and business, the company is put at risk, as IT managers don’t have the influence needed to force the business to up the security budget.”
He says this is compounded by the fact that the number of threat vectors is growing, as is the number of attack surfaces. “In addition, threats are getting stealthier and more cunning and sophisticated.”
“The slew of devices that is hitting the enterprise is a perfect example of this,” he says. “Nearly everyone today has a smartphone, or a tablet, that can easily bypass the company’s firewall, should the company have no proper mobile device management solution in place.”
Moreover, the number of connected devices that are being installed in the average enterprise, too often with not enough thought as to how these devices could be remotely accessed and manipulated to spy on the organisation, is scary. “No device is sacred. Anything that can be connected to the Web can be hacked, and it is only a matter of time. In the past few years we’ve seen fridges, smart TVs, baby monitors, cars, insulin pumps, pacemakers, lighting systems, and locking systems all fall victim to clever hacks. And these are only the unexpected devices. What about fax machines, telephones, video surveillance and printers?”
The best way to ensure your business remains safe, is to limit the attack surface, advises Blaeser. “One thing we know for sure. Cyber criminals are smart. If something is going to benefit them financially, they will take advantage of it. Vendors and manufacturers need to understand this, and build security into their Internet-connected devices from the ground up. Businesses need to implement a BYOD policy and enforce the principle of least privilege, ensuring no one has access to any information where there is not a legitimate business need.”
In today’s threat landscape, limiting the attack surface means limiting access to any unnecessary or unauthorised surfaces. “Don’t become another breach statistic. Too often, business only take their information security seriously once they have suffered a breach, and unfortunately, sometimes not even then. Businesses failing to adequately protect themselves will suffer dire consequences, and could even end up closing their doors,” Blaeser concludes.
