Over my 20 years of auditing more than 500 government and commercial organisations, the most common issue that arises is a lack of visibility into what’s happening on a day-to-day basis within a company’s network. While installing firewalls and email solutions such as Kaspersky is a step in the right direction, these won’t provide sufficient protection in the long run.
Here I’ll discuss the biggest problems with existing attitudes towards cyber-protection and how business leaders need to ensure they have the right type of systems in place across their organisations. Ultimately, business leaders need to install a 24/7 cyber monitoring system that is managed by expertly trained staff in order to protect themselves and their business from cyber-attack.
The plaster covering a broken arm
Currently, there is a huge disparity between business leaders’ knowing they need to tackle cybercrime and the number of concrete cyber strategies being implemented. This is a significant problem as cybercrime has become so prolific in recent years that the Office for National Statistics (ONS) has begun to include it in official figures.
The Institute of Directors recently released a cybersecurity report that found while 95% of business leaders think that cybersecurity is ‘very important’ to their business, almost half of them have no formal cyber strategy. Further, four out of ten of those surveyed said they wouldn’t know who to get in touch with if they were hit by a serious cyberattack. This paints a pretty bleak picture for the health of cybersecurity across UK businesses.
At present, the majority of business leaders opt to install firewalls and Kaspersky email solutions to protect digital company assets online – this has been the mainstay of cybersecurity for over two decades. These firewalls block certain kinds of network traffic, effectively forming a barrier between pre-approved ‘trusted’ networks and alien ones. Much like a physical firewall, this type of system attempts to block the spread of computer attacks and viruses.
While this has historically been the number one way to protect online networks, firewalls have serious limitations and can be very easily overcome by hackers. From phishing scams to abusing human nature to retrieve sensitive information that can grant access to networks, firewalls simply are not up to the task of protecting today’s companies sufficiently. Installing a firewall today is the equivalent of putting on a plaster to try and fix a broken arm.
The solution is constant surveillance
One of the main issues with firewalls is that they fail to provide a holistic view of a company’s IT security. This means that companies are left in the dark about the real-time health of their IT networks and data breaches can often go unnoticed for significant amounts of time – allowing hackers ample time to find the most lucrative data to steal. The best solution to overcoming this lack of sight across a business network is to implement a combined solution of security information and event management (SIEM) software, network and host intrusion detections systems (IDS) along with security operations center (SOC) personnel.
SIEM and IDS systems correlate security-relevant events from both critical host systems and network traffic to provide proactive monitoring of the enterprise’s digital footprint as well as real-time threat analysis. This makes it significantly easier to spot trends and patterns that are out of the ordinary across the network. With 24/7 monitoring, any attempted cyberattacks are flagged immediately and so can be dealt with before any data is stolen and irreparable damage is done to a company’s public image.
However, SIEM systems are very noisy and generate an abundant amount of information. Without trained experts (SOC) monitoring the SIEM system and an intelligent incident escalation plan in place, having a SIEM system is pointless. Internal IT personnel are often not equipped to monitor a SIEM 24/7 every day of the year. Yet this is exactly what a SIEM solution requires, else it will be rendered useless. Terabytes of logs will be generated that no one will ever have time to analyse - completely defeating the point! Further, if an internal team is monitoring the SIEM then they are directly impeding on the necessary governance of having checks and balances in place. Businesses should not be in the practice of ‘auditing’ themselves.
We worked with a customer that had bought and integrated their own highly sophisticated SIEM system with 15 remote sensors across three continents. Understandably, they were pulling in thousands of events per second and had nearly a million unattended security alerts. However, while they had all the right technology, crucially what they were lacking was the trained team to read and respond to the alerts (SOC). Ensuring you have the right technology is important but if a fully qualified team does not support this, then the best and most expensive SIEM system will ultimately be worthless.
It is absolutely essential to have an effective SIEM system to give visibility into the security relevant events across the entire enterprise. However, this system must include a trained team of analysts (SOC) monitoring the system 24/7/365 each and every day, to respond and react appropriately to an established incident escalation plan. One of the worst things that can happen is uncovering an attack but not knowing how to deal with it in the best way.
It’s clear that business leaders need to make more of a concerted effort to implement cybersecurity strategies to protect their companies’ networks. They should also empower their IT teams to utilize third party MSSPs to address cybersecurity strategically and holistically. The world has changed fundamentally from even 20 years ago and we now rely on technology and internet access more than ever before. Undoubtedly, the existing cybersecurity measures employed by the majority of organisations are insufficient to protect exponentially growing networks and databases. While there is no such thing as total security, by implementing a SIEM system that is managed and supported by a team of trained cybersecurity experts, businesses will be able to considerably improve their online protection. This can turn a £10 million incident into a £10 thousand incident. But it is only through implementing an integrated holistic and strategic approach that companies will be able to protect themselves as best they can.