Consequence of organisations continuing to underestimate damage of cyberthreats and how to avoid it

Consequence of organisations continuing to underestimate damage of cyberthreats and how to avoid it

Sophos, a global leader in next-generation cybersecurity, has announced the findings of the second edition of its survey report, The Future of Cybersecurity in Asia Pacific and Japan, in collaboration with Tech Research Asia (TRA).

The study reveals that despite cyberattacks increasing, cybersecurity budgets have remained stagnant and executive teams continue to underestimate the level of damage threats can do to organisations. 

Nearly 70% of Asia Pacific organisations surveyed suffered a data breach in 2020, an increase of 36% from 2019. Of these successful breaches, 55% of companies rated the loss of data as either ‘very serious’ (24%) or ‘serious’ (31%). Nearly 17% of organisations surveyed suffered 50 attacks per week.

While attacks are increasing in frequency and severity, cybersecurity budgets remained largely unchanged as a percentage of revenue between 2019 and 2021. At the same time, 59% of businesses stated that their cybersecurity budget is below where it needs to be, the same percentage it was in 2019.

Industry experts in the cybersecurity field offer their best practice advice on how this issue can be overcome and tackled head on.

Ronan David, VP Business Development and Marketing, EfficientIP: “From PlayStation to iCloud and even the NHS, it would be difficult to ignore the impact that cyberattacks can have on an organisation. Many will have seen the damage to reputation caused by famous hacks, or even felt the impact directly through application downtime and sensitive data theft. 

“But while cyberthreats can be portrayed by the media as a distant concern only of big corporations and governments, cybercriminals are becoming smarter and more effective at damaging even the smallest organisation. 

“The knowledge gap in cybersecurity has meant that businesses are extremely underprepared and often underestimate one of the biggest threats to their operations. 

“This threat has only increased within the last year. The rise of working from home has meant organisations have had to quickly adapt to supplying workers with the tech needed to efficiently work off-site.

“Remote working and the switch to cloud applications has added complexity to network management and security, thus heightening the risk from cyberthreats aimed at the company’s network infrastructure and especially the Domain Name System (DNS). DNS translates website names into numeric addresses (IP addresses) that are easier for computers to manage. Without adequate security measures, the openness of this system can easily be exploited by hackers, with potentially devastating consequences for productivity and data security.

“DNS is mission-critical for businesses – if DNS servers go down, you can no longer reach any of your vital apps or services, including cloud storage. 91% of malware abuses DNS services to build attacks, and while DNS is often targeted directly, it’s often also used as an attack vector such as via connected objects (IoT).

“Last year, our annual DNS Threat Report found that 79% of companies faced DNS attacks and suffered irreparable damage: loss of business (29%), application downtime (82%), data theft (16%) and more. DNS attacks are increasingly common and come in several forms which organisations must be aware of to ensure the safety of their data and work practices. 

“For example, ransomware attacks make use of misleading links to attack your computer and hold essential data at ransom in exchange for money. DDOS (Distributed Denial-of-Service) attacks are a specific way to tear down a remote service by sending attacks to it from multiple points of the network, making it more difficult to stop the source.

“Businesses must move beyond basic security solutions to protect themselves from these risks. By making use of an automated DNS security solution and Zero Trust strategies, organisations can simplify and accelerate threat detection and protect application services for both customers and workers.

“The danger of underestimating the damage from cyberattacks is far too high for businesses to ignore. Now more than ever, technology plays a vital role within the workplace and organisations must find time to educate themselves about the risks and good practice for cybersecurity – or risk permanently damaging their business.”

David Friend, Founder and CEO, Wasabi: “Cyberthreats are no laughing matter for organisations. Just in the last few weeks, Facebook and surveillance services provider, Verkada, have revealed they’ve suffered huge data breaches, with over 500 million users and 150,000 video cameras hacked respectively. 

“Why do so many underestimate such risks? A 2019 YouGov survey indicated that 66% of companies with fewer than 500 employees didn’t believe they would fall victim to a cyberattack, and that just 9% of businesses surveyed ranked cybersecurity as their top business priority. Such stats clearly demonstrate that there’s an education gap that needs to be filled across industries to elevate the importance of this issue.

“The fact that the enterprise doesn’t perceive the risk of ransomware to be a priority is at odds with the amount of damage that ransomware is doing to businesses. In the UK, nearly 60% of companies struck by ransomware end up paying their attackers, with the average ransomware payout being US$84,116 in Q4 2019. 

“Payouts are just the tip of the iceberg. As ransomware locks users and organisations out of their data, business operations can quickly be shut down for days or weeks, which could risk the livelihoods of many. When you look at the damage done to regular business activity by way of ransomware, it’s easy to see why companies are tempted to pay up – in 2020, IBM estimated that downtime from data breaches cost the average company US$1.52 million worth of lost business and before the pandemic, the total cost to business operations inflicted by ransomware attacks globally was projected to be US$11 billion.

“In the end, computers and other hardware can be replaced, but in the vast majority of cases, lost data represents the product of countless man-hours of work, which cannot be replaced without huge expense. If enterprises want to offset this risk, they must first and foremost develop a rigorous data backup strategy that diversifies where they store their data to spread risk. Backups are a vital part of any organisation’s IT strategy and ensuring multiple redundant backups are available helps to reinforce organisational resilience to cyberthreats.

“At a minimum, IT decision-makers should be keeping three different backup copies of the same data, with two on different media formats and with one of those kept off-site – what the storage industry calls the 3-2-1 rule. Keeping a backup off-site is key as it allows organisations to ‘air-gap’ backups from one another, enabling greater data protection and security through physical distancing.

“A hybrid cloud strategy can also be of huge benefit when tackling cyberthreats. By combining an on-site dedicated storage system for local backup and setting it up to synchronise with a cloud backup service on a regular basis, data continuity is maintained and the risk of disruption knocking out all sources is significantly decreased. It’s also a good idea to have your data stored in different vendors’ systems so that hacks or even software bugs in one system don’t risk data loss globally too.”

Richard Walters, CTO of Censornet: “We’ve worked on several post-incident recoveries within our own organisations and assisted in many, many more externally. 

“Companies often forget about the reputational damage that can be caused by cyberattacks, which has a major impact on customer/consumer confidence as well as supply chain, partner, market – and ultimately, shareholder confidence. 

“When a publicly-listed company suffers a large-scale breach, its share price typically suffers a protracted hit which can last for years.

“A cyberattack also has a serious and immediate business impact on an organisation. It may be forced to take systems offline, for instance, and while it might be able to get cyber insurance to cover some downtime, it is unlikely to extend to the actual downtime suffered, which can run into days or even weeks. We saw this when the NHS was hit by Wannacry in 2019, forcing the cancellation of 19,000 appointments and ultimately costing £92 million. 

“With organisational breaches, everything starts with a weak or stolen password, or the exploit of misconfigurations or vulnerabilities. Once inside, attackers move laterally. Understanding this lateral movement and the full extent of the breach requires specialist computer and network forensic analysis – neither of which come cheap.

“Advanced Persistent Threats, by definition, are multi-layered. Organisations often identify what appears to be a malware infection, affecting a number of endpoints, isolate them, bare metal rebuild them, and move on. Deeper ATP layers then activate – either manually or timed – which go entirely unnoticed. This is why some attacks persist over many years. 

“This points to the extent of the hidden cost that is only realised up to a decade later. 

“Post-incident, some additional controls are almost inevitably going to be needed to prevent an exact reoccurrence of an attack, or a variation on a theme. If you’re lucky, this will mean deploying additional controls in the form of one or two security point products. However, it could also require major network, architecture or application surgery. 

“In an era where attacks are not just likely, but a certainty, businesses should make sure they have a crisis plan. If the building gets flooded or a massive power outage wipes out office systems for days on end, most organisations will know what to do. A similar plan should be in place for an e-crisis.”

Filip Verloy, Rubrik’s Field CTO EMEA: “The biggest risk here is that organisations don’t see the forest for the trees. When you consider the wide scope of potential cyberthreats out there, it’s easy to get lost. Suddenly, you’re so focused on individual attack vectors that you miss the forest entirely, by which point it’s too late.

“As we drive more Digital Transformation, oversights of this nature just won’t cut it. The potential for devastating disruption as a result of cybercrime is too large and organisations must step into Digital Transformation with a security-first mindset as a result. We are long past the point of saying ‘it will never happen to us’, and certainly know better than to assume we’ll never be breached. 

“So how do we instil that mindset? The first thing is to re-evaluate our focus on defence. Looking at the whole picture – perimeter, network, endpoint, application and data – organisations must implement clear ways of detecting, preventing, investigating and responding to these cyberthreats. 

“Unfortunately, this crystal clear focus is hard to come by thanks to an abundance of distracting signals, which is where the case for automation through AI and Machine Learning comes into play. Think about it – security has evolved from a single focus on the perimeter and keeping the bad guys out, to an all-encompassing focus on internal and external security, and the abundance of tools and intelligence we have around that are too numerous to manually manage. But finding relevant correlations and augmenting those with external threat intelligence signals is the purview of automated systems leveraging Machine Learning and AI. 

“In conjunction, there is a strong need to rationalise the amount of security tools any one organisation uses. I often see up to 50 individual tools being implemented per organisation, which I believe actually contributes to lowering security postures, instead of raising them, simply due to how unmanageable it becomes and the assumption of sufficient coverage rather than actual protection.

“And for the tools that we do hold on to, we must consider ecosystem integrations: how can these prevention, detection and mitigation technologies reinforce each other? There is potential to leverage intelligence from one solution to the next to complement capabilities and form a stronger together defence. Think about the ability to inform your data recovery solution about the importance of the data being impacted and how that would prioritise your remediation efforts. The answer to creating this: technologies built on API-first principles.

“Finally, a surefire way to not underestimate these threats is to look at backup as a means of ransomware recovery. Ransomware has moved from disabling an organisation by encrypting all data, to now extracting additional ransom by exfiltrating data and threatening to release it, broadening its impact. Everyone is a target no matter how safe you consider yourself to be and assuming a breach mentality and documenting and testing a ransomware recovery plan is just as vital as implementing any other Disaster Recovery planning, both of which require a sturdy backup strategy.”

Rudie Raath, Chief Security Officer at Datacentrix: “Cybercrimes have been on the increase at a global level, with 2020 breaking all previous records for data breaches and cyberattacks. And the African continent has not escaped this unscathed, with South Africa, Kenya and Nigeria seeing the biggest increases in cybercrime locally.

“In particular, South Africa has experienced a surge of ransomware incidents more recently. The real fact is that many companies face the fear of data encryption by cyber-attackers, who are able to purchase the software – and an instruction guide on how to use it – via the Dark Web for a paltry amount (as little as R2,000 in some instances).

“These attacks are not focused on any particular industry but more on companies where data is critical to running operations. This is due to the fact that a Bitcoin pay-out for decryption keys is far more likely if the organisation under attack is unable to operate without those systems.

“The unfortunate truth is that no company is safe from these attacks – even if you spend all the money in the world.

“The protection of the infrastructure is no longer the focus for businesses today; it’s all about the data. Cybersecurity is now closely intertwined with the application and infrastructure and, in particular, the actual data. Therefore, a multi-disciplined approach is required; one that understands the system architecture, its dependencies and the location of all the data. Many companies to date are still blissfully unaware of the location and validity of their backups until the day they are required, but it does not work.

“Protecting the data must take priority and with the technologies available in the market today, it is possible to secure your data copies through regular, immutable backups. Some of these solutions are even able to scan backups for possible ransomware scripts, or processes timed to trigger at a point in time.

“The question posed here then is, if backup tapes are dead, could they not be considered as the potential safety net that protects companies? Could this legacy technology be the answer?

“An area of concern would clearly be that; should an organisation be targeted and its data encrypted and how long would it take to restore systems – can you pay the price of this downtime? Or worse, are you prepared for loss of data? How would this affect your business operations and customers? Would you perhaps be liable to fines or penalties?

“These are the difficult facts that every organisation must consider when assigning budgets to IT operations and innovation. The mitigation of measures by cyberthreats requires a higher level of discussion within the business and can no longer be isolated between engineers around the water cooler. An important facet of this process is choosing the right partner to support you on this journey – one that understands technology integration, infrastructure monitoring, cybersecurity threat mitigation technologies, data protection, governance and risk frameworks – and making the decision to do this quickly. Time is not on the side of the unprotected company.”

Browse our latest issue

Intelligent CISO

View Magazine Archive