Willem Westerhof, Senior Security Specialist at Secura, part of the laboratory testing, inspection and certification services company Bureau Veritas, writes of security debt and what companies can do to tackle this to maintain public confidence.
The cyberattack on the NHS in June serves as a reminder of how cyber-attacks are becoming increasingly sophisticated with worse longer lasting impacts. Not only that, but Absolute Security’s Cyber Resilience Report 2024 reported that 69 per cent of UK Chief Information Security Officers (CISO) stated a cyber-attack could lead to the financial collapse of their organisations . This further highlights the need for organisations to address any security debt proactively, invest in robust cybersecurity measures to protect operations and maintain public confidence – “with fewer than half of the UK public (47 per cent) are confident in central government’s capabilities to ward off digital threats effectively”
What is security debt?
Much like technical debt, security debt refers to the cumulative security vulnerabilities that develop due to outdated systems and practices. Twenty years ago, the geopolitical climate was quite different, with fewer attackers and less interconnectivity. Now, the gap between what security we have and what we should ideally have is significant.
As we can see, security debt is becoming an increasingly important issue for organisations, particularly for long standing ones. Not only can this severely impact an organisation’s ability to protect its data and infrastructure, but this has a knock-on effect, leading to a decline in public confidence which we can see is already taking shape across many sectors in the UK.
What factors cause large amounts of security debt?
1. A key factor is the age of the organisation. Older establishments, especially those in the public sectors that were early adopters of automation, are more susceptible to large amounts of security debt. Over time, their once cutting-edge technology has become outdated, and the longer an organisation has been around, the more legacy systems and configuration mistakes it can potentially have – thus increasing its security debt. With that said, the ability to keep up with latest innovations and technology is key. Minor updates, such as moving from version 4.1 to 4.2, are typically straightforward. However, for systems that have had years of neglect can prove to be problematic when going through major upgrades. For example, upgrading from version 1.3 to 4.7 without incremental updates can seriously change and negatively affect systems, leading to a cycle of reversion and avoidance of future updates. This avoidance in the long term only adds to the problem.
2. Another issue is mission-critical systems that cannot afford downtime, they tend to lag when it comes to updating the software due to the risk of interrupting their day-to-day activities. However, not updating the software can cause a build-up of vulnerabilities and bugs to exist in these mission critical systems, making unplanned and uncontrolled downtime due to an incident more likely.
3. A shortage of skilled IT professionals is also further exacerbating the issue. With limited employees in IT teams, organisations often prioritise only the most time sensitive and mission-critical projects, leaving not only security debt to accumulate but also nothing tangible created for the end user such as introducing security features regularly.
What can happen if an organisation accumulates too much security debt?
One of the most common consequences of large amounts of security debt is ransomware. Attackers gain control of an organisation’s data and systems, demanding ransom for its release. A more recent tactic involves double extortion, where attackers steal data as leverage for payment. Even if the ransom is paid, the data is often sold or leaked, compounding the damage. In the public sector, the fallout can be harmful. Personal data can be stolen and used for fraud, affecting countless individuals and repeated security breaches will only erode public trust in organisations. When personal and sensitive information is compromised, confidence in the organisation’s ability to protect data weakens, which leads to reputational damage.
What steps can be taken?
To address and mitigate security debt, organisations are advised to adopt comprehensive strategies that encompass security best practices which are essential to prevent the accumulation of vulnerabilities.
Conducting regular security audits (technical and non-technical) are also encouraged to help identify and address potential weaknesses before they can be exploited. Directives such as the EU’s NIS2 emphasise the importance of checking the security practices outside the immediate organisation and look at supply chain partners too. Although the UK is no longer part of the EU, similar principles apply, especially for businesses operating in or with Europe.
There is also a need to increase investment in IT and cybersecurity which can start with the hiring of more IT professionals and providing ongoing training of existing personnel. The goals for organisations is to ultimately create such difficult environments for attackers that it is not worth investing their time to hack in the first place. Security debt is a real and prevalent challenge we are seeing across the UK, impacting operational security and public confidence. As the digital world evolves, organisations should take the necessary measures to address the issue of safeguarding data, protecting reputation, and maintaining public trust.
Visit https://www.secura.com/.
