With the threat from cybercriminals likely to increase over the next year, companies have to put cybersecurity at the core of their business, says Rob Batters, pictured, Director of Managed and Technical Services at the IT firm Northdoor plc.
The year 2022 saw an increase in the number and the level of sophistication of cyberattacks with companies of all sizes being targeted both directly and via their supply chains. However, against a background of a recession and potential budget cuts some companies might be considering drawing back on their investments in cybersecurity in the next 12 months.
This will have a potentially damaging impact on the business. Indeed, instead of cutting back, in 2023 companies need to ingrain cybersecurity into their general business practice to help keep cybercriminals out and data safe.
The growing threat of cybercrime
In 2023 we are likely to see a real increase in the number and level of sophistication of cyberattacks. Companies of all sizes will be impacted in some way or another, it is no longer the case that it is only enterprise-level companies that cybercriminals are targeting.
The UK Government’s 2022 Cyber Security Survey found that 48 percent of small businesses in the UK had been victims of cybercrime. This is very likely to go up in 2023 and so no matter the size of the company there has to be an awareness of the growing threat.
Cybercriminals will always try to find the easiest route into a company’s systems. Too often this is through what many consider to be the weakest link in most companies’ security – the employee. Cybercriminals are bombarding employees with phishing emails. For example, if 10 million phishing emails are sent, cybercriminals just need a one percent return rate to result in large-scale profit and/or damage for companies – all at a very low cost in terms of effort and finances for the cybercriminal.
These phishing emails are growing in sophistication meaning that it is becoming harder for employees to identify what might be a malicious email and be able to take action against it. This is also against a backdrop of new working practices across the UK with many employees now in remote or hybrid roles. Sitting outside of the corporate network, often using their own devices means that the businesses can not so easily protect users and systems.
Ingraining cyber in business practice
So, to combat this growing threat and to help employees, it is important that cybersecurity is ingrained into all business practices. Ensuring that it becomes part of everyday processes means that it is less easily forgotten or ignored, even if the employee is outside of the office environment.
The key to this approach is not to bombard the employee with continuous warnings and updates. Some cybersecurity solutions send nonstop messages, and this has led to employees suffering from security fatigue. This means that essentially staff members are reaching the limit of how much information they can process leaving them in a position where they can no longer make rational decisions.
Some businesses are turning to cybersecurity solutions that only alert employees at the point of risk and provide a real-time teachable moment. This empowers users to take charge of their own security behaviours, in turn reducing human-activated risks on email.
Another way of ensuring that cyber security is ingrained into business practice is introducing regular cybersecurity training. Too many companies have annual or one-off sessions which means employees tend to forget what they have learnt. Also, cybercriminals are constantly changing and adapting the methods they use to gain access to systems and data which means a one-off session is quickly made irrelevant. Regular updates (without overloading users) keeping them up-to-speed with the latest threats and what they look like means that cybercrime will be at the forefront of their minds.
Protecting the four layers of business
With all businesses now under an increasingly regular and sophisticated threat from cybercriminals, it is important that they look at protecting all layers of their business. As we have seen there are more employees than ever working outside of the workplace and the challenges that this brings. However, in most companies, including SMEs, there are four layers that need protection.
The Core – at an organisation’s core there needs to be a secure infrastructure in place, and one that can be located where you need it, on-premise, in the cloud or a hybrid of the two. By having appropriate governance and compliance controls in place businesses can ensure users can only access the data appropriate to their role.
The Inner Layer – protecting the inner layer should include the continuous monitoring of all endpoints, the immediate and ongoing detection and response to incidents, defence against Human Activated Risk through proactive anti-phishing and data leakage measures, as well as a holistic view of all events and threats.
The Edge – the edge of a business is where the internal systems meet the outside world. The edge should be continuously monitored and scanned for vulnerabilities. Defending the edge also means ensuring that you have a grip on what the latest threats look like and how your existing defences are performing
The Outer Layer – the final layer is the outer layer. Businesses cannot simply sit behind their defensive walls and hope for the best. The threat from supply chains and partners is increasing all the time and any investment in other defensive measures is immediately negated if you are leaving the back-door open to vulnerabilities from the supply chain.
Secure managed services
2023 is going to be a challenging year for a lot of businesses. With cost-savings and budget cuts at the forefront of strategies, businesses have to be careful not to leave themselves open to an increasingly sophisticated cyber-criminal.
The key will be to ensure that cybersecurity is at the core of all business practices and that it embraces those who are working outside of the office. To help with this many are turning to IT consultancies that can offer secure managed services. Not only does this give companies access to a team of experts but a consultancy is able to take a holistic view of your systems, data, users and the threats against them. Taking a layered approach to security, and addressing the issues most pressing to you, means that a shell of security measures can be built around critical assets, protecting data and systems against an ever-increasing threat.
