Increasingly sophisticated attacks call for an entirely new, and data-centric, approach to cybersecurity. But how can businesses remain secure when there is a global shortage of cybersecurity professionals? And how can they afford downtime, when being offline means being out of business?
“Without a doubt, the market is squeezed,” says Alan Byrne, former Director of Technology at Triangle. As a managed service provider of infrastructure and critical systems, Triangle’s response has been to develop its own talent and then deploy expert staff across a varied client base to ensure professionalism for clients and intellectual stimulation for staff. “Our approach has been to recruit people at a junior level and grow them ourselves. You meld them into the person you need,” Byrne says.
Triangle typically works with large enterprises, and counts among its clients Aviva and ESB. Byrne said that smaller businesses should not be discouraged, however, as there are service providers out there who can meet their needs. “From a small and medium business point of view, there are SME specialists out there who can deliver a one-stop shop for customers,” he advises.
Enterprise level businesses and government departments, however, have a different set of requirements. Often more complex and certainly under greater threat, they turn to service providers such as Triangle to work with internal teams, whether for compliance and governance reasons or as part of an international team. “Larger corporations like to have their own staff, but even if they outsource the service, they typically will want to audit the service internally,” he explains.
The issue of governance is central at this level, with responsibilities to shareholders, clients and other stakeholders meaning security is a top priority.
“Any large organisation is going to have a board level oversight of security now: it all falls into corporate governance these days. It falls under risk.”
Indeed, risk management and assessment of risk exposure and even risk appetite are crucial considerations that warrant management attention.
Nevertheless, the recent increase in cybersecurity threats – Risk Based Security identified 1,767 publicly reported breaches between January 1st and June 30th 2021 – means that simply acknowledging the issue at senior management level is not enough. What is needed now, says Byrne, is a recognition of the ever-changing nature of both the business landscape and the threat landscape.
“Any large organisation is going to have had IT security on there [at board level] for some time, but the changing landscape and the shift in digital transformation means people are looking to take a more root and branch approach. What they've been doing for the last five or six years won't be enough,” explains Byrne.
A programmatic approach to re-architecting systems was essential, he adds. “Particularly, with the increase in teleworking after Covid-19. Things like physical security now need to be re-considered; there's a whole rethink coming.” And not before time: after all, most businesses were forced into teleworking in an uncontrolled manner.
What is interesting, Byrne says, is that the old adage of work smarter rather than harder appears to have been taken to heart by cybercriminals.
“The level of attacks is increasing, but it’s not increasing dramatically in absolute numbers. However, the potential hit to a business is much more dramatic, because of the nature of the attacks.”
Indeed, traditional viruses have been yesterday’s news for some years, as everyone in the IT business will know. Other forms of attack can be even more devastating, though. “Ransomware is particularly unpleasant, as it causes the business to essentially shut down,” says Byrne. Expertise helps here, from planning and policy on down, but today’s software is also more intelligent: instead of inert backups, intelligent solutions can be deployed to keep data and code separate. “The compromise is in the system software not the dataset; if your dataset is good you just need a system to back it up. It’s not an easy thing to recover from, but it's certainly manageable,” advises Byrne.
As Ireland moves back to office life, questions are being asked, not least in relation to easing the housing crisis, if remote and hybrid work can and will continue. According to Byrne, this will depend on the business and part of the calculation will be cybersecurity. Triangle can help in both cases.
“There are certain businesses where I could think it is necessary for staff to be in a properly-controlled environment, and there are other businesses where back-office work can be done remotely. So, it's just a case of putting the right procedures and technology in place,” he said.
Either way, current practices do need to be examined. “A lot of organisations have probably increased their risk profile as a result of the pandemic and I’m not sure they've addressed that. There's a false sense of security: ‘Well, I've been doing this for two years and I've been okay’, but that's not how risk works.”
Indeed, just as losses on a lottery ticket or roulette table do not guarantee future wins, cyber risk is also not a matter of simple arithmetic: the Monte Carlo fallacy tells us that the occurrence of a random event is neither more nor less likely following any other event or non-event. The answer, then, is to reduce the random factors and to fully take risk into account.
“I think there's generally a lack of understanding of risk and, also, people don't fundamentally see it as a question of risk management,” says Byrne.
This article originally appeared in the Business Post - you can read it here.
