Cut down your security debt by thinking like a hacker, suggests Stephen Crow, pictured, Head of Security and Compliance at UKFast, which offers UK-based data centres.
Whether it’s unsecure at-home WiFi networks, or a plethora of poorly configured work devices, cybercriminals are taking full advantage of post-pandemic security vulnerabilities, launching more and more advanced attacks on SMEs who have not taken into account their mounting security debt. Security debt happens when an organisation fails to invest enough time, resources, and/or money into securing their networks, leaving themselves open to exploitation. And with organisations everywhere forced to move their operations online practically overnight during the pandemic, a lack of protection has left more and more businesses exposed to this, resulting in a 31 per cent jump in cybercrime since the start of the pandemic.
Subsequently, many criminals are intensifying their social engineering and phishing tactics. So how can your business think more strategically, patch vulnerabilities in home working, and ultimately reduce your security debt?
First question: how hackable is your business?
Many organisations don’t know the answer to this question, but it’s the first thing cybercriminals seek to answer when probing your security defenses.
With remote workforces creating new vulnerabilities for hackers to exploit, anticipating how someone might compromise and disrupt your computing infrastructure is of paramount importance – especially as the potential cost of a breach can be devastating to a company. According to a recent IBM report, the average cost of a data breach is $3.86 million and is projected to increase over the year.
Thinking like a hacker means understanding an adversary’s techniques, tools, and goals in order to discover vulnerabilities in your IT infrastructure. The next step is to identify how these vulnerabilities can be exploited. And the final step is to resolve them.
This process works most efficiently when organisations give their IT teams ample time and budget to practise security skills. Alternatively, your business can turn to dedicated security professionals who can think like a hacker, monitor threats and stay ahead of potential attacks on your behalf.
A bespoke security solution
After you’ve identified and fixed potential loopholes in your network, you need to ensure your infrastructure remains secure so the same thing doesn’t happen again. Fortunately, numerous tools are available at your disposal that can help.
VPNs, for instance, secure the connection between home and corporate networks. Endpoint security tools safeguard individual devices to prevent data creep.
But without the right expertise, these tools can be implemented improperly – making it harder to get work done at best, and potentially creating new security vulnerabilities at worst. Which is why working with your IT team or external security professionals to create a tailored strategy that outlines how to secure your infrastructure, as well as how to use relevant tools effectively, is the answer.
To do so, you’ll need to understand both the needs of your business and the expectations of your employees. Often, this can mean ascertaining if a business has a zero-trust model in place for individual devices, or even understanding if employees follow corporate policy by only using corporate-approved cloud storage.
Doing so enables your organisation to achieve a bespoke security solution that will keep your IT infrastructure safe from cyberattacks and provide employees with the seamless access they need to do their jobs well every day.
Lower your security debt for good
So you’ve thought like a hacker, identified vulnerabilities, and built a custom-made security solution to lower your security debt. The next step is to ensure your security debt stays down – or risk finding yourself vulnerable once more.
You need to be sure you’re not using software that is at the end of life, for example; you also need to ensure it’s installed with the latest security updates, and be able to react quickly to patch any weak spots that come up. You can get a sense of just how critical vulnerabilities are by using the Common Vulnerability Scoring System (CVSS) – but keep in mind that a low score does not necessarily mean you’re less vulnerable.
Together with daily IT tasks, not to mention monitoring cyber threats on your business, this is a lot to handle. While your IT team can take on these challenges themselves, hiring and upskilling can exponentially add up. For those businesses that can’t manage the burden internally, an external managed security service can act as an extra safety net, ensuring your organisation remains secure at all times – and preventing security debt from creeping back up again.
