To follow are parts of articles written by SolarWinds MSP:
Companies are overlooking
seven basic security principles:
1. Security policies are inconsistently applied.
2. User training is massively under-prioritized.
3. Only basic technologies are being deployed.
4. Vulnerability reporting is often weak, or even nonexistent.
5. The majority of organizations make no changes to their technology or
processes following a breach.
6. Widely accepted prevention techniques and processes remain
overlooked.
7. Detection, response, and resolution times are all growing.
Did you know that:
77% of respondents reported
tangible loss (monetary, legal
action, loss of customer) from a
security incident
23% of survey respondents
reported intangible loss (of brand
reputation, etc)
So, in hard commercial terms, what does this vulnerability cost a typical
SMB or enterprise? Beyond the readily identifiable impacts of a lost
customer or downtime leading to lost opportunity, what are the wider
implications?
In their “2016 Cost of Data Breach Study: Global Analysis,” 1 IBM and
Ponemon calculated a standard cost per lost or stolen record of USD $158/
GBP £122. This calculation included direct expenses (e.g. engaging forensic
experts, outsourcing hotline support, and customer relationship remedial
costs such as discounts on products and services) and indirect costs
(in-house investigations and internal communications). It also extrapolated
typical values of lost customers and the impact of brand damage on future
customer acquisition. This may not seem like a lot but $158.00 x tens of thousanmds and now you see what they mean! I have often heard that hackers go into banks mostly small banks and they dont steal thousands but maybe $1.00 or less! Tink if you did this to thousands of banks and once again you see a lot of loss. Banks will not do much for a loss of that size so the hackers come back and back until they are stopped!
Based directly on our research, the following represent the top seven
pitfalls that are opening UK and US businesses up to massive financial
liabilities, with the potential for something as serious as an extinction event.
1. INCONSISTENCY
IN ENFORCING SECURITY POLICIES
A security policy is clearly worthless unless it is correctly enforced and its
suitability is regularly checked. However, only 32% of respondents could
claim their security policies are reliably applied and regularly audited. On
top of this, less than half or 43% enforce them only occasionally, 17% fail to
audit their suitability, and 7% have no policies in place.
2. NEGLIGENCE
IN THE APPROACH TO USER SECURITY AWARENESS TRAINING
Despite all the commentary about its importance, only 16% of respondents
considered user security awareness training a priority. A massive 71% pay
lip service to it by either including security awareness as a one-off event at
employee onboarding or reinforcing it once a year. The remainder, 13%,
admitted they do nothing
3. SHORTSIGHTEDNESS
IN THE APPLICATION OF CYBERSECURITY TECHNOLOGIES
Six of the nine most typical cybersecurity technologies had been deployed
by only a minority of respondents. Web protection, email scanning, and
anti-malware had each been rolled out by 50-61%, but the remaining six
(including SIEM, firewall rules, and patch management) had been deployed
by only 33% at the most (SIEM), or 25% at the lowest (intrusion systems)
4. COMPLACENCY
AROUND VULNERABILITY REPORTING
Only 29% of respondents could call their vulnerability reporting robust, with
the majority, 51%, optimistically classifying it as adequate. Surprisingly, as
many as 19% have no reporting, and 11% even said they categorically had
no plans to investigate its deployment or usefulness.
5. INFLEXIBILITY
IN ADAPTING PROCESSES AND APPROACH AFTER A BREACH
Following a breach (experienced by 71% of respondents), only 44%
implemented new technology, and only 41% changed their processes.
Meanwhile, 42% started looking into new technology, while 14%
purposefully did nothing
6. STAGNATION
I N T H E A P P L I C A T I O N O F K E Y P R E V E N T I O N T E C H N I Q U E S
Of the nine key prevention techniques listed, only a minority of respondents
had implemented all of them. The most prevalent technique was full disk
encryption on mobile and portable endpoints, but even this was only
performed by 43%. Application white listing was implemented by only 38%,
and logging of authenticated users’ activity was used by only 41%.
7. LETHARGY
AROUND DETECTION AND RESPONSE
Over the past 12 months, detection times had risen for 40% of
respondents; response times were up for 44%; and resolution times had
increased for 46%. In contrast, in our 2016 report, detection times had
risen for only 28% of respondents; response times were up for 28%; and
resolution times had increased for 27%. This shows that the rate of decay
(and complacency) is growing
ADVICE FOR MSPS
The data and conclusions in this report make one crucial point
overwhelmingly clear: Enterprises and SMBs alike are overconfident in
their cybersecurity preparedness.
This being the case, what opportunities do managed services providers
(MSPs) have?
Opportunity #1: Offer cybersecurity training to your customers.
Training can make a huge difference in your clients’ security, so it’s
absolutely essential that you arm them with the knowledge they need to
prevent breaches. Whether you offer it as a service to build revenue or
you offer it free to provide retention, training can cut down on the number
of security incidents. That translates to fewer emergency calls and,
ultimately, happier clients.
Opportunity #2: Make sure your own house is in order.
MSPs need to make sure their own security practices are up to par. You
should review your practices and security technology stack not only
for current best practices, but with an eye to the future as well. Does
your security meet the current and future needs of the typical SMB or
enterprise? Does it work well across on-premises, cloud, and hybrid
environments? Can you serve clients in highly-regulated verticals?
Opportunity #3: Prepare with disaster drills.
MSPs can also offer to stress test their clients’ security via “war games.”
Many industries run drills to help them deal with worst case scenarios:
marketing teams practice their responses to PR crises, financial services
organizations stress test their portfolios, and logistics teams plan for
transportation hubs closing down unexpectedly. As an MSP, you can
practice disaster events with your clients, both in terms of technology
and processes, to discover weak points and make improvements. Are the
lines of communication and equipment sufficiently robust? Are
expectations and metrics reasonable? You’re likely to find a few upsell
opportunities in the process.
Opportunity #4: Determine the partnerships or skillsets you’ll need.
Many security incidents require specialists to handle, so make sure
to prepare before you need it. Whether it’s warding off DDoS attacks,
protecting IoT at an architectural level, or implementing digital forensics
incident response, you should either look to hire expertise in-house or
partner with someone who can handle these for you. You never want to
have to build new skills in the middle of a crisis.
Organizations’ overconfidence combined with the prevalence of the seven
pitfalls of cybersecurity create a perfect storm on which cybercriminals are
bound to capitalize. But with the right approach, dialogue, relationships,
and tools, MSPs can turn these flaws into lucrative opportunities.
CYBERSECURITY: CAN OVERCONFIDENCE LEAD TO AN EXTINCTION EVENT? 1
I think that the above will happen. I worry about breaches to our national security, our infrastructure, our banks and more. Be prepared!!!
More to come from Joe Rossini
No comments:
Post a Comment