There’s often only one way to learn how to counter cyber security threats – by being attacked, as these three businesses have experienced.
Most people who are trying to protect their business from cyber attacks and malware that has run amok will turn to consultants and the security industry, but there’s another group worth asking for advice: those who have actually fallen victim to an attack.
To find out what you really need to know about security – and what myths to ignore
Prevention is better than cure
One myth is that your company can get by purely with defence manoeuvres, however proactive techniques such as monitoring are increasingly necessary. Marcos Steverlynck, co-founder of e-commerce art marketplace, Rise Art, says that operating online means that security is always being considered, because the site is constantly being probed by outsiders for vulnerabilities.
The site has never been fully compromised, but has been subjected to a host of attacks first-hand, including a distributed denial of service (DDoS) attack last year. The site stayed online, but access was slower during the incident.
“We clocked it early enough that we were able to re-route the traffic away from our main systems,” says Mr Steverlynck. “But for an hour, we had strong doubts that we would be able to withhold the attack.”
The experience led the company to become more proactive with its security – Rise Art now uses smart traffic monitors to watch for attacks, enabling its IT department to respond more quickly.
It also hires third-party security firms to test its infrastructure for weaknesses before hackers find them. “These notify us of any weaknesses so that we can pre-empt an attack and strengthen our security,” says Mr Steverlynck.
Nick Seaver, Deloitte cyber-risk partner, agrees: “Companies need to get the balance right between preventing, detecting and responding to an attack.”
Simple, not sophisticated
That said, most security incidents don’t require a complicated defence, contrary to belief. The Rise Art co-founder says that motivations behind many attacks are misunderstood and hackers are assumed to be super-skilled criminal masterminds, when in fact, most incidents are simple and easy to prevent with a bit of effort.
“In most cases, it’s just hackers probing to see how systems behave, and whether there are any known vulnerabilities that they can exploit easily,” he says. “However, every now and then, we see more coordinated attacks.
“You have to remain vigilant of those, because their motives might be more sinister.”
Mr Seaver agrees, saying that most attacks aren’t complicated or sophisticated, but take advantage of publically known weaknesses in old or unpatched systems. He adds: “Replacing old systems and security patching current ones would significantly reduce the number of successful attacks.”
Everyone is a target
Mr Steverlynck adds that it’s a myth that small and medium-sized companies (SMEs) aren’t targets. “They’re often victims, simply because they’re believed to have more weaknesses,” he says. Micromix also learnt that everyone is a target when the plant nutrition firm was hit by ransomware. Charlotte Halls, operations manager, says the company made some false assumptions.
“We felt that a cyber attack would never happen to us. [That has now changed and] we’re far more security conscious, as we now know that it isn’t just the TalkTalks and Tescos of the world that hackers have in their sights.”
Paul Blore, managing director at Netmetix, agrees, saying that too many companies buy into the myth that SME data isn’t valuable.
“The reality is that if it’s important to your business, in the eyes of a hacker, it’s a prime ransomware target,” he explains.
“Ransomware, while very rarely targeted, is like a drive-by attack and no one – neither huge enterprises nor start-ups – is invulnerable.”
Spending isn’t always enough
Talbros, which makes auto components, was caught out by ransomware in the same WannaCry attack that knocked large parts of the NHS offline last month. “We were not aware of being one of the victims,” says head of IT, Rakesh Budhiraja. “When we tried accessing our data, which was encrypted, a certain amount of money was demanded in the form of bitcoins.”
Talbros had its own security systems in place, but it proved inadequate on this occasion.
The company turned to data recovery firm, Stellar, for support, and learnt a few lessons along the way – the most important being that no matter what you spend, it may not be enough. “We have the most robust system in place and invest a lot of resources in protecting ourselves,” he says, adding that it didn’t prove sufficient.
Mr Seaver says that that spending heavily on protection alone won’t make your systems impenetrable: “This is often at the expense of sufficient investment in both improving the ability to detect an attack, and developing and rehearsing effective responses to it.”
Security needs constant attention
You’ve got security walls in place, proactive monitoring watching for attacks, and back-ups just in case – but that’s still not enough.
Security is about constantly assessing and reassessing to ensure that your protections are keeping up with hackers. While Talbros thought that it had state-of-the art security, a new style of attack caught it unawares.
Lesson learnt, the company’s security infrastructure is getting more frequent upgrades and assessments to ensure that it’s up to date to counter any future attacks.
Mr Budhiraja advises companies to focus not just on putting the right security systems in place, but frequently reviewing and improving them