All the gear and no idea
Most companies that suffer a cyber attack believed it would never happen to them. What makes it even harder to understand is the costly, cutting-edge security they had in place to deter hackers. But, these strong defences turn out to be a cyber Maginot Line if they’re not activated or deployed properly – ineffective because they could be easily outflanked.
Many organisations’ first reaction to being hacked is stunned disbelief. “Then they panic and everyone points a finger at each other,” says Tom Kranz, Cyber Lab Director at 6point6, a cyber security consultancy.
The trouble is they tend to think that investing in the latest technology will automatically solve the problem. “But there’s a gap between what an off-the-shelf system can immediately deliver and the processes and needs of the business which buys it,” says Kranz.
Companies will often buy security technology with lots of bells and whistles without having first evaluated their underlying exposures and whether this is in fact the best system to do what they want.
This is an issue that has caused a number of high-profile breaches, says Andrew Lewis, Lead Cyber Underwriter at Hiscox London Market. “Companies will often buy security technology with lots of bells and whistles without having first evaluated their underlying exposures and whether this is in fact the best system to do what they want.”
Then, they will often compound the problem by not spending enough time training their staff on the best way to use that technology. “The result is expensive kit that’s never used to its full capability, or even left idle,” says Lewis.
Kranz recalls a bank that installed top of the range security software to warn it of potential attacks on its network by monitoring users’ login activity. From Mondays to Thursdays most employees worked in the office, where they would usually log in between 9 and 10 o’clock. But, on Fridays, many worked from home, so would often log in at other times. Every Friday, the system would alert against what it thought were suspected attacks. Every week, the bank’s cyber security team would investigate and find they were false alarms. To make matters worse, they didn’t know how to reprogram the system to understand the different login patterns. Regardless of how sophisticated a cyber security system is, it isn’t worth the desk space or high price tag, unless it is first set up to understand how a particular business works. Otherwise, it will simply tell you what you already know, rather than being tuned in to pick up the real threats you face.
The right tools for the job
Some companies also opt for highly advanced detection and prevention systems that are way beyond their need or capability. “There are some fearsomely complicated, highly effective, and very expensive tools on the market, which are designed primarily for governments to counter the threat from state-sponsored hackers. They’re not relevant for the average business,” says Kranz. “You wouldn’t buy a Formula One car if you only want it to do school runs and trips to the shops.”
Companies are often surprised to discover they score poorly in cyber security tests having invested heavily in an array of security software. Nearly three quarters of the 4,100 organisations surveyed for the Hiscox Cyber Readiness Report 2018 failed the cyber readiness test. Although they were keenly aware of the potential impact of a cyber attack, most were found to lack adequate defences to resist hackers.
You wouldn’t buy a Formula One car if you only want it to do school runs and trips to the shops.
The problem is, says Kranz: “they tend to judge the success of IT projects according to whether they come in on time and on budget without any glaring errors. They’ve never actually reviewed whether that technology is effective, so they’re shocked to be told that some of those tools aren’t working properly, while others might not even be turned on.”
Penetration tests commissioned from cyber security consultants, which probe a company’s defences against cyber attack, can often give a false sense of security. “These aren’t like an MOT, with a set list of defects to look for. There’s a huge variety in their depth and competence: some are just basic tests that verify firewalls are in place – they don’t examine whether or not those are effective.”
The expectation gap
This gap – between what a company wants the system to do and how it can actually perform when plugged in straight out of the box – is particularly common with firewalls: the vital systems designed to protect organisations’ networks from intruders.
“Companies should first analyse what their normal website traffic is before installing a new firewall,” says Hiscox’s Lewis. “So when they do turn it on, they can adjust it to get the protection they need without it interfering with their everyday business.”
It can take six to nine months to properly install an effective firewall, says Kranz, because, at first, they will often mistake normal web traffic patterns for suspected attacks – either because the firewall doesn’t understand how a company’s systems works, or because the web app is poorly designed.
Most companies, however, will switch on the firewall and expect it to provide blanket protection straight away, even though it is still on its factory settings. If there are teething problems that crash a company’s systems then the most common reaction, Kranz says, is to turn off some of the firewall’s features so that normal service is resumed. This can have disastrous consequences.
Companies should first analyse what their normal website traffic is before installing a new firewall.
An asset management firm suffered a hacker attack, despite having a state-of-the-art firewall. It was mystified by how its defences failed, and called in Kranz to look into why it had happened. He discovered that when the new website went live ahead of the all-important April ISA deadline, the firewall worked effectively but was slowing down the site in its key sales period. So, the project manager decided to disable the firewall’s system for alerting potential breaches so it wouldn’t lose the company business.
The project manager was rewarded with a promotion (and then got a better job elsewhere) for successfully delivering the new website – even though he had effectively turned off the firm’s main cyber defence almost as soon as it was installed.
It ain’t over ‘til it’s over
The trouble is, most organisations think that when they switch on the security software that the job’s completed. “But that’s when the real work begins,” says Kranz. “The threat is constantly evolving, so they need to continually refine their security to keep up to date with the latest attacks.”
Instead, most leave it until the launch of a new IT project to review their existing security measures – or when they suffer a breach, says Kranz.
“You wouldn’t buy a brand new car and not maintain or service it until it eventually breaks down,” Kranz says. “The same goes for a security tool. If you’re going to plough so much time and effort in it, why wouldn’t you want to make sure it works as well, if not better, than when you first bought it?”
Security software isn’t a comfort blanket organisations can cling to in the hope of preventing attacks. They need to know they’re right for the job, and that they work.
Security software isn’t a comfort blanket organisations can cling to in the hope of preventing attacks. They need to know they’re right for the job, and that they work, says Lewis, otherwise they’re likely to get breached relatively easily.
The insurance industry could help by focusing less on companies listing in their proposal forms which security tools they have and instead concentrate on them explaining to underwriters which of those tools are the most important, how they monitor and evaluate their performance to ensure they aren’t actually undermining the company’s cyber security, and also, that they’re up to date with the latest threats. It’s a much better gauge of their security maturity, Lewis suggests.
“They need to know what are their biggest threats and how the particular technology they buy will mitigate those. Once the software’s been switched on, companies need to set aside extra time and money to ensure it works effectively. Otherwise it can be a wasted investment.”