Cloud security is only as strong as the weakest link in your supply chain. The concept of the traditional network perimeter is dead in the age of the cloud, with attackers exploiting weaknesses along your entire supply chain in an effort to breach your defences.
Supply chain attacks have become a prevalent target for cyber criminals, knowing that a weak link in the chain can gain them access into highly secured environments. This means that auditing the security credentials of your suppliers and partners must become a priority, as their shortcomings can lead to your business’ downfall.
Likewise, they are entitled to ask the hard questions about your own security efforts. Most businesses still fail to take supply chain threats seriously, even though they have claimed high-profile victims like British Airways and ASUS.
One of the biggest mistakes that businesses of all sizes make is thinking about security as a one-off investment, as simply a checkbox item to be ticked off.
The fact is, the threat landscape is always changing. Malware is rapidly evolving to the point that traditional antivirus tools struggle to keep pace. Cybercriminals are actively working together to bolster their capabilities and stay ahead of the game, commoditising the market with offerings such as Ransomware as a Service and compromised IoT botnets for hire.
While cryptolocker ransomware attacks are still common, cybercriminals are also looking to more subtle attacks such as cryptojacking – quietly using your business’ computer resources to mine cryptocurrency while you foot the bill.
The only way to stay on top of security is to constantly grow your security capabilities and enhance your cyber hygiene efforts. One of the biggest hurdles to this is the deeply ingrained view that security is ‘someone else’s problem’ but this is slowly changing over time as executive boards start to realise the real threat that businesses face in a hyperconnected world.
So how do you step up and bolster your cyber defences? First, staff education is critical, ensuring your people understand the threats and can identify the telltale signs of phishing attempts and other social engineering attacks. A healthy scepticism is one of your best lines of defence.
From a technology perspective, the demise of the traditional network perimeter makes endpoint detection and response crucial – focusing on whitelisting and monitoring for behaviours that are outliers.
Along with this comes pervasive monitoring, ensuring that you know everything that happens on your network, as it happens. Correlate and link as many Indicators of Compromise (commonly referred to as IoCs, meaning any evidence that a cyber attack has taken place) as possible to grant you a holistic view of what is going on in your environment. This will also give you the ability to actively hunt threats within your network and look back in time to identify previously overlooked security threats.
Real-time insight is only useful when accompanied by the ability to rapidly respond to security incidents. If there is a security incident, you need the ability to neutralise it quickly and address the damage. Like any other security drill, it is important to practise your incident response procedures and ensure that everyone understands their role and what function that role needs to perform.
Many executive boards are starting to recognise cyber security as a board-level problem and are looking to invest more, but require evidence that the program is effective and actively protecting business assets. It’s key that you create clear, understandable metrics that you can use to measure your performance, wrap governance around this and report on it, so you can demonstrate the effectiveness of your security program.
In a landscape that constantly evolves, the possibility of a security incident can never be ruled out, which means your response capabilities are just as important as your defences. The cost of the average data breach is US$5 million within 30 days and only grows over time, so investing in security becomes an easy decision when you weigh the cost of doing nothing.