Never trust and always verify - the increasing number of cyber threats & risks

While working from home has its benefits, it also leaves holes and shows weaknesses in the digital defenses of corporate organizations. Hackers are constantly lurking around the corner, seeking opportunities to exploit any weak links. The number and variety of malware has expanded exponentially, with significantly more than a billion known types. We’ve also seen an increase in targeted phishing campaigns and ransomware attacks, where hackers hold a company hostage. They encrypt and even threaten to disclose confidential or sensitive information if the ransom is not paid. Understandably many companies give in to these demands. However, the actual cyber breach costs are often even higher than the already considerable ransom demands. After all, negligence, and failure to protect data is frequently viewed as a bad practice of governance and negatively sanctioned by regulatory bodies. In addition to financial damage, cyber-attacks also tarnish the reputation of the affected companies, because they negatively impact upon the trust of clients, suppliers and society. Cyber security experts are pulling out all the stops to frustrate hackers in their tracks. But even with continuous research and government monitoring, it’s difficult to apprehend and charge cyber criminals.

Often, SMEs feel they’re out of harm’s way when it comes to cyber crime, yet 60% of the SMEs that fall prey to an attack are forced to close shop within six months following the attack. In an interconnected digital economy, any company can be carried along in the snowball effect of an attack, as collateral damage. The aftermath can be devastating for all involved. Regretfully companies mostly only upgrade their defenses, after having gone through such a catastrophic event. Even with preventative measures being close at hand.

Any company, regardless of its size, needs to have a tailor-made cyber security policy. Most of the attacks are targeted at outdated IT systems and weakened protection mechanisms. The information asymmetry in terms of protection doesn’t make it any easier. Software protection manufacturers bombard organisations with solutions they supposedly, and urgently require, a tactic we call FUD-selling. Playing into Fear, Uncertainty and Doubt (read more about this in a previous blog). The companies themselves are often unaware as to what they actually need. Yet, the answer is quite simple. It all comes down to preventative measures, which can most often be integrated into the existing system infrastructure.

The first, and most basic principle, is a Zero-Trust attitude and approach. This implies that you must act as though nothing, or nobody can be trusted. This means that verification steps must be applied to all users, servers, and systems. And that all traffic must be inspected, monitored and recorded. My motto is: "never trust and always verify". A principal design flaw of the internet is that it was based on trust versus distrust and we later on stacked multiple point-solutions to increase the level of trust, by implementing security measures, such as firewalls, multifactor authentication and intrusion detection systems. But as a former CISO of a large enterprise I know that managing spaghetti environments with a billion malware varieties flooding our corporate organisations is not a sustainable way of working. Zero Trust security is the way forward and this is what we research and tutor at AMS as well.

Secondly, all companies should have an internal or external cyber incident response team (CIRT), who scan and monitor systems and detect threats. A CIRT acts proactively by suggesting security improvements, and act effectively in case of an attack. Thirdly, I also urge companies to make regularly scheduled backups, so they’re able to resume business as soon as possible after an attack.