A hacker sits in front of a computer. His chair is surrounded by empty cans of Red Bull and pizza boxes. He gazes at a blue screen with a command prompt and types furiously. In 30 seconds he’ll have breached your company’s firewalls. It’s a typical representation of a cyber attack in popular culture. Only part of it is true (the bit about Red Bull and pizza). Hacks don’t happen in minutes, writes Martin Lipka, pictured, Head of Connectivity Architecture at Pulsant, a cloud hosting and IT compliance firm.
It takes time to breach an organisation, to find a way in and exploit that. Another misconception is that attacks or breaches are noticed immediately. Yahoo, for example, experienced a massive data breach in August 2013 in which it announced that one billion customer accounts were affected. But the company took three years to find the breach and then disclose it, and four years to complete the actual investigation (which revealed that in fact three billion accounts were affected).
While not all data breaches in cyber security are that extreme, they can still be expensive and hard to detect. It takes companies 191 days on average to find a data breach, according to global research published in 2017. How can companies improve their IT security? Tip one is not to fall for cyber-security misconceptions. When a breach is reported it’s often assumed that the hacker is a genius. In fact, they often just use known security vulnerabilities to exploit the weaknesses in company systems.
Eighty per cent of attacks are perpetuated by hackers who simply use known vulnerabilities to exploit the weaknesses in company systems. Protecting your organisation from cyber attacks could be as easy as ensuring your patches are up to date and that your IT department is keeping your anti-virus software current.
However, for the remaining 20pc of cyber attacks, the outlook is a little different. Advanced hackers supported by the state or those involved in corporate espionage make up another 19pc and their skills are typically much better than the 80 per cent, which makes it more difficult to protect your IT against them. The remaining one per cent is super advanced and lurk behind the scenes. They are rarely seen in the fray of attacks. Instead, these cyber criminals focus on identifying vulnerabilities and providing other hackers with the means to carry out the attacks. The WannaCry event of 2017 in which the ransomware worm attacked computer networks on a global scale, including the NHS, by exploiting a Windows vulnerability was one example of this.
New
Cyber attacks are now considered one of the biggest risks facing the world in the next ten years. Attacks on internet-connected devices, the Internet of Things (IoT) (ranging from cars and fridges to industrial sensors and watches) are expected to increase over the next decade. So too are cyber attacks on mobile devices and cloud technology.
There will be increased demand for “crime as-a-service” (hackers for hire who can write malware, create highly effective spear phishing campaigns and develop bogus websites for harvesting login credentials).As cyber threats multiply and become more advanced, corporate IT security budgets are likely to carry on increasing. The Global Cyber Security Market is accounted for $95.15 billion in 2017 and is expected to reach $365.26 billion by 2026.
Risk assessment
Yet no matter how much a company spends on IT security, the sheer variety of cyber threats, the likelihood of computer failure and human error, mean breaches in cyber security are almost inevitable.
Risks can be mitigated, though. Start by reviewing your IT systems and look for possible vulnerabilities that hackers, or a rouge employee could exploit – an unpatched operating system, or a worker’s smartphone containing sensitive commercial data. Next, assess the severity of the security threat (i.e. the damage would it cause your business if security was breached). One proven method for assessing IT security is a “risk-based” approach (an in-depth assessment of your IT risks and how to deal with them). Work out how to fix the problem, or decrease the security risk.
Review your IT security − ideally each year and train your staff in cyber security – not just those in IT. If your business lacks the budget or skills and experience to do all these things, outsourcing part could save you time and money.
If you work with a trusted partner you can benefit from their industry knowledge, in-house skills and the large investment they have made into all areas of their business. Hackers come in all shapes and sizes. But as the IT security industry matures, it can help companies keep cyber threats at bay, leaving you to focus on growing your business.
About the author
Martin Lipka created his own Internet Service Provider (ISP) in his home country of Poland. Martin joined Pulsant in 2008 as a Network Manager and became Head of Connectivity Architecture in 2014.
