Tuesday, September 26, 2017

Company cyber security and why we are at risk!

 To follow are parts of articles written by SolarWinds MSP:

Companies are overlooking seven basic security principles: 1. Security policies are inconsistently applied. 2. User training is massively under-prioritized. 3. Only basic technologies are being deployed. 4. Vulnerability reporting is often weak, or even nonexistent. 5. The majority of organizations make no changes to their technology or processes following a breach. 6. Widely accepted prevention techniques and processes remain overlooked. 7. Detection, response, and resolution times are all growing.

Did you know that:
77% of respondents reported tangible loss (monetary, legal action, loss of customer) from a security incident 23% of survey respondents reported intangible loss (of brand reputation, etc)

So, in hard commercial terms, what does this vulnerability cost a typical SMB or enterprise? Beyond the readily identifiable impacts of a lost customer or downtime leading to lost opportunity, what are the wider implications? In their “2016 Cost of Data Breach Study: Global Analysis,” 1 IBM and Ponemon calculated a standard cost per lost or stolen record of USD $158/ GBP £122. This calculation included direct expenses (e.g. engaging forensic experts, outsourcing hotline support, and customer relationship remedial costs such as discounts on products and services) and indirect costs (in-house investigations and internal communications). It also extrapolated typical values of lost customers and the impact of brand damage on future customer acquisition. This may not seem like a lot but $158.00 x tens of thousanmds and now you see what they mean! I have often heard that hackers go into banks mostly small banks and they dont steal thousands but maybe $1.00 or less! Tink if you did this to thousands of banks and once again you see a lot of loss. Banks will not do much for a loss of that size so the hackers come back and back until they are stopped!

Based directly on our research, the following represent the top seven pitfalls that are opening UK and US businesses up to massive financial liabilities, with the potential for something as serious as an extinction event. 1. INCONSISTENCY IN ENFORCING SECURITY POLICIES A security policy is clearly worthless unless it is correctly enforced and its suitability is regularly checked. However, only 32% of respondents could claim their security policies are reliably applied and regularly audited. On top of this, less than half or 43% enforce them only occasionally, 17% fail to audit their suitability, and 7% have no policies in place.

2. NEGLIGENCE IN THE APPROACH TO USER SECURITY AWARENESS TRAINING Despite all the commentary about its importance, only 16% of respondents considered user security awareness training a priority. A massive 71% pay lip service to it by either including security awareness as a one-off event at employee onboarding or reinforcing it once a year. The remainder, 13%, admitted they do nothing

3. SHORTSIGHTEDNESS IN THE APPLICATION OF CYBERSECURITY TECHNOLOGIES Six of the nine most typical cybersecurity technologies had been deployed by only a minority of respondents. Web protection, email scanning, and anti-malware had each been rolled out by 50-61%, but the remaining six (including SIEM, firewall rules, and patch management) had been deployed by only 33% at the most (SIEM), or 25% at the lowest (intrusion systems)

4. COMPLACENCY AROUND VULNERABILITY REPORTING Only 29% of respondents could call their vulnerability reporting robust, with the majority, 51%, optimistically classifying it as adequate. Surprisingly, as many as 19% have no reporting, and 11% even said they categorically had no plans to investigate its deployment or usefulness.

5. INFLEXIBILITY IN ADAPTING PROCESSES AND APPROACH AFTER A BREACH Following a breach (experienced by 71% of respondents), only 44% implemented new technology, and only 41% changed their processes. Meanwhile, 42% started looking into new technology, while 14% purposefully did nothing

6. STAGNATION I N T H E A P P L I C A T I O N O F K E Y P R E V E N T I O N T E C H N I Q U E S Of the nine key prevention techniques listed, only a minority of respondents had implemented all of them. The most prevalent technique was full disk encryption on mobile and portable endpoints, but even this was only performed by 43%. Application white listing was implemented by only 38%, and logging of authenticated users’ activity was used by only 41%.

7. LETHARGY AROUND DETECTION AND RESPONSE Over the past 12 months, detection times had risen for 40% of respondents; response times were up for 44%; and resolution times had increased for 46%. In contrast, in our 2016 report, detection times had risen for only 28% of respondents; response times were up for 28%; and resolution times had increased for 27%. This shows that the rate of decay (and complacency) is growing

ADVICE FOR MSPS The data and conclusions in this report make one crucial point overwhelmingly clear: Enterprises and SMBs alike are overconfident in their cybersecurity preparedness. This being the case, what opportunities do managed services providers (MSPs) have? Opportunity #1: Offer cybersecurity training to your customers. Training can make a huge difference in your clients’ security, so it’s absolutely essential that you arm them with the knowledge they need to prevent breaches. Whether you offer it as a service to build revenue or you offer it free to provide retention, training can cut down on the number of security incidents. That translates to fewer emergency calls and, ultimately, happier clients. Opportunity #2: Make sure your own house is in order. MSPs need to make sure their own security practices are up to par. You should review your practices and security technology stack not only for current best practices, but with an eye to the future as well. Does your security meet the current and future needs of the typical SMB or enterprise? Does it work well across on-premises, cloud, and hybrid environments? Can you serve clients in highly-regulated verticals? Opportunity #3: Prepare with disaster drills. MSPs can also offer to stress test their clients’ security via “war games.” Many industries run drills to help them deal with worst case scenarios: marketing teams practice their responses to PR crises, financial services organizations stress test their portfolios, and logistics teams plan for transportation hubs closing down unexpectedly. As an MSP, you can practice disaster events with your clients, both in terms of technology and processes, to discover weak points and make improvements. Are the lines of communication and equipment sufficiently robust? Are expectations and metrics reasonable? You’re likely to find a few upsell opportunities in the process. Opportunity #4: Determine the partnerships or skillsets you’ll need. Many security incidents require specialists to handle, so make sure to prepare before you need it. Whether it’s warding off DDoS attacks, protecting IoT at an architectural level, or implementing digital forensics incident response, you should either look to hire expertise in-house or partner with someone who can handle these for you. You never want to have to build new skills in the middle of a crisis. Organizations’ overconfidence combined with the prevalence of the seven pitfalls of cybersecurity create a perfect storm on which cybercriminals are bound to capitalize. But with the right approach, dialogue, relationships, and tools, MSPs can turn these flaws into lucrative opportunities. CYBERSECURITY: CAN OVERCONFIDENCE LEAD TO AN EXTINCTION EVENT? 1

I think that the above will happen. I worry about breaches to our national security, our infrastructure, our banks and more. Be prepared!!!

More to come from Joe Rossini

No comments: