Question:
Do you really care about Cyber Security within your business, or is it seen as more of a hinderance / compliance requirement?
It's not uncommon for security professionals to miss the mark when it comes to addressing the elephant in the room, and is often sold as a stack of products with varying capabilities to fill gaps no one knew existed.
As with all IT services, the core function is to enable a business to perform their duties on a day to day basis without unplanned incidents, so the focus will more than likely be around ensuring the IT systems themselves are available and capable of delivering those services.
People usually start caring when the lights go out.
Yes, we've probably all experienced in some form or another where an environment gets hit by a security event, resulting in a sudden influx of available budget to address said problem. It's perhaps human nature to behave in this way, as most of us will act in a similar way outside of work.
Let's say you've got back to your car and someone has let one of your tyres down. You don't have a pump in the car, so have to wait for roadside assistance to come along and help you out. After this, you decide that everyone in the family who drives must now have a pump. But why wasn't that important before?
You have a shed in the back garden that contains all of your expensive tools for various gardening activities as it's easier than keeping them in your garage. One night the shed is burgled and all the items are taken. You get replacement items from the insurance company and decide its perhaps best to keep everything of value in the garage going forward. So why didn't you do that in the first place, especially now your premiums have gone up.
The Difficulty of changing behaviours
We've always done it that way....
or
It won't happen to us....
or
Does it really matter?
In some instances, those are absolutely valid statements because we make decisions based on the information we have at the time. If you look at the example above regarding the flat tyre. We've always driven without a pump and never had a problem, so the likelihood of getting a flat is extremely rare. So does it really matter?
It depends on your risk appetite. For some, they're more than happy to be inconvenienced and deal with the event if and when it occurs. But what if it happened at a time when you desperately needed the car to get somewhere urgently? Perhaps the likelihood of that event is extremely low, but the impact is high, so you can begin to gauge a sensible response or control measure to reduce the impact.
Now let's add a little more context to that event. Let's say the car is used for driving round high net worth clients and you're the chauffeur.
What is the financial impact of not being able to get to the destination and will you experience reputational damage for being unreliable? A pump doesn't seem such a weird idea after all.
Assume Breach
A now common phrase used within the security community and has perhaps been validated more than some people would want to admit. Is it a sales tactic used to put fear in to others?
No. If anything, it can often prove how challenging it is for a business and / or the security team to hunt for such threats due to lack of capabilities. This is where an analysis can help identify such gaps within the business, allowing senior management to have a better understanding of where the issues lie.
Here are some ideas to consider:
Identity Management:
The existing leaver process doesn't notify the relevant team to disable a person's account the day they leave. Often waiting weeks until someone picks up on it and completes the task. In that time, it could be feasible that the account is used to copy data outside of the business.
Solution:
A new tool is proposed to track Joiner / Leaver / Movers, but it's incredibly complicated to implement and requires several key stakeholders to all agree on a suitable outcome.
In this instance, perhaps there's just a failing with the existing process, where some consultancy would help improve the process without heavy expenditures.
Patch Management:
No matter how quickly IT tries to roll out patches to systems, they're always on the backfoot. The result being, vulnerability stats aren't really improving and there are too many planned outages which is upsetting the business.
Solution:
Let's ramp up the patching and perhaps look at new tooling which will help us fix things better.
Please no.....
A consultant will review your existing processes and capabilities from start to finish.
Are you using standard gold builds
Are those builds scanned for vulnerabilities on a regular basis prior to going live
Do you need all the applications that are installed
Can people install unauthorised applications
Focus on the vulnerabilities that impact the business first
Tooling has its place
There are some absolutely brilliant solutions in the market that will help a business improve their security posture, reducing the risk of certain events occurring, but also providing capabilities to detect threats.
However, does that single employee business need a fully fledged XDR platform with SIEM, Patch Management and Vulnerability Management?
Whoever said yes, I can see you!!
No they don't need all that, unless of course they want it. But we shouldn't be trying to sell it.
What they need are controls suitable for their business. Anything from ensuring their laptop is encrypted through to good anti-phishing MFA, with a sprinkling of data backups and Antivirus of some sort.
Watering and Feeding
When cloud services first started coming in to the market, they were deemed as our saviours from all IT and security concerns. But what happened is we were sold platforms that change their features and capabilities more times than I've changed my cars (a lot).
So what we've been left with is a need to keep constantly up to date with those features to ensure we're maintaining a good level of security across the business. And sadly, again that's where many of those businesses aren't doing as good.
Why? Well it's expensive. You've already paid through the nose for these products and now there's a demand for several FTE's to just keep up to speed.
So why not outsource to SME's who specialise in these areas so you can focus on what's important to you?
The realm of MSSP's has become a lucrative business, providing those capabilities to clients who perhaps don't want to invest in full-time employees, thus offsetting the risk to someone else. My only comment would be to get a third party to help you assess the services being offered if they seem rather expensive., and by that I mean six to seven figure services a year.
Would you believe that sometimes you don't need all the bells and whistles? But instead you just need something that's tailored specifically for you.
Summary
In short, we're there to help to achieve what's best for you and your bottom line. It's not all about the latest shiny new thing or throwing money at a problem. Good security is about having discussions, understanding pain points, getting to the root cause, risk appetites and agreeing on strategic outcomes that provide the most value whilst increasing the security posture of a business.
If you'd like to have a chat about how Security Ninja can help you, please get in touch.
Komentarji