Many people may feel fatigued when it comes to hearing about cybersecurity. This isn’t because they don’t understand the importance of it, but because they are aware of the significant risk cybercrime poses to their businesses and personal digital lives. They have already accepted that taking action is necessary to address this issue.
However, it’s not good enough to take a “been there, done that ” approach. The plain truth is that we can never hear enough about cybersecurity because rest assured, criminals are working around the clock to uncover new vulnerabilities.
A “day zero attack” focuses on a previously unexploited weakness, and until that vulnerability has been mitigated, there is an almost unimaginable potential for harm, especially if the software is widely used. This means that unless we constantly make time to focus on cybersecurity and keep it front of mind, it’s conceivable that we could drop the ball on implementing patches or updates, leaving a fresh vulnerability like a flashing red light attracting criminals into our organisations.
The consequences of neglecting cybersecurity for businesses
One may argue that this sounds alarmist and a bit like doomsday commentary, but imagine this scenario: One of your employees receives a notification on his or her laptop to update to the latest version of a software application. This update contains important upgrades to mitigate against vulnerabilities. However, he or she is chasing a deadline and so mutes the notification.
And then does this again, and again. At some point in the future, a nefarious threat actor is scouting the environment and finds the open door to your system. Despite all your efforts, the backdoor was left open by an employee who had not had cybersecurity front and centre of their mind.
The above scenario is far more common than one would like to believe, but despite that, there is an overall impression that from a South African perspective, we are catching up with the rest of the world. While we have made good strides as a country, there are still obstacles – not least the pain of a non-revenue-generating department being thrust upon the board.
Even if a business decides to outsource its security, it still needs some degree of skill within its walls. Before, it was normal to do what we thought was best, and then hope for the best. Now, there are industry standards and best practice protocols that have been imposed on businesses across industries. Adhering to this costs time, money and resources. While it is a department or investment that does not generate revenue, without investing in it a business’s ability to generate any revenue at all may well be at risk.
This is a difficult pill to swallow locally, as it does not come cheaply – that’s if the scarce skills can even be found and retained. A small and medium business will soon realise that it needs to increase its headcount by up to five people. A larger organisation will be looking at closer to 10 new staff.
The challenges of implementing and maintaining effective cybersecurity measures
In addition to this, a theme that has gained momentum over the years is the movement towards zero trust. This is all good and well, and certainly suits some organisations better than others – such as large corporates – but there has to be an educated balance between security and usability.
The only real zero-trust environment is analogue because air-gapped processes are the only ones guaranteed to be out of reach of cybercriminals. Once you plug in you must realise that you may well be taking all the vitamins possible but the risk of infection remains.
If we return to our scenario of the employee that did not update their system, we land on an important theme: the majority of breaches and hacks are likely avoidable. A day zero hack triggers a flurry of responses until there is a patch or update to prevent it from happening again – which is when the threat actor moves on to find other weaknesses.
A very small proportion of vulnerabilities are responsible for most of the exploits we read about. For example, a well-publicised ransomware attack may be the ultimate outcome, but it would most likely have been achieved through one of a small set of vulnerabilities that had not yet been patched or corrected with an update.