Preparation And Practice: How To Respond To Today’s Cyberthreats

Today’s businesses face a constant surge of threats to their digital assets, from social engineering attacks to malware; from web-based threats to attacks against their users’ identities. And as these sophisticated threats become increasingly prevalent, cybersecurity is no longer just about preventing attacks, but also about knowing how to respond when the inevitable happens and your security team discovers a breach.

To find out more about how organizations can implement powerful protection alongside a robust response plan, we spoke to Tony Anscombe, Chief Security Evangelist at ESET. Anscombe first entered the security space over 20 years ago, coding for financial institutions. When the focus shifted from mainframes to network- and PC-based environments, Anscombe followed the shift down the security route. Now, as well as managing ESET’s partnerships with other technology vendors, he works to help educate people on various cybersecurity topics to influence positive behavioral changes and increase security from a human standpoint.

Founded in 1992, ESET is a global provider of cybersecurity solutions dedicated to securing individuals and organizations against known and emerging threats by delivering solid technologies, services and expertise. ESET offers consumer, SMB and enterprise security products and services, all of which provide solutions to the main security challenges their customers are facing today: sophisticated threats, and a lack of available resources to dedicate to mitigating those threats.

The Cybersecurity Industry Faces A Huge Lack Of Resources

Digital transformation has turned the modern workplace into a better connected, more efficient environment. But it’s also created a huge range of opportunities for cybercriminals to access corporate environments—something which security teams must face with constant vigilance to prevent.

But one of the biggest challenges organizations face today when it comes to preventing unauthorized access to their environments, says Anscombe, is sufficient resources. The skills gap between the number of jobs available in the cybersecurity industry and the number of people able to fill those jobs is widening, leaving security teams with an increased workload, increased levels of burnout, and a less clear view of the threats their organizations are facing.

“The cybersecurity industry is massively under-resourced, and that gives companies a lack of expertise which, in turn, gives them a lack of insight and vision into the threat landscape,” Anscombe says.

And, despite the obvious need for cybersecurity in today’s digital-native workplace, 95% of cybersecurity professionals state that this skills shortage hasn’t improved over the past few years, and 44% say that it’s only gotten worse. One contributor to this issue, says Anscombe, is the fact that governments have begun paying commercial salaries for government cybersecurity jobs—spreading resource more thinly, instead of encouraging more people to take up a career in cyber. Another key factor is a lack of training.

“A big thing when it comes to the skills shortage is not only a lack of training at, for example, university level or experience in the field, but also the lack of training of every employee,” says Anscombe.

“Every employee has a part to play in cybersecurity. Unfortunately, anyone could be the person who clicks on a phishing link that lands in their inbox. In the majority of instances, these carefully crafted, sophisticated emails can fool even people with a good cybersecurity awareness.”

Security awareness training (SAT) programs can transform a workforce from a potential source of vulnerability into a robust line of defense against cyberattacks. And while many organizations are now implementing some form of training in order to comply with regulatory standards or state laws, too few are realizing the true potential of a strong SAT program when it comes to bolstering cybersecurity resource.

The Threat Landscape Is Evolving

If the ongoing challenge of combatting threats with limited resource wasn’t enough on its own, security teams are having to undertake this battle in an ever-changing environment. The past two years have seen two big shifts in the workplace: first, as the COVID-19 pandemic catalyzed the need for remote work; and now, as organizations are welcoming their employees back to the office in a hybrid-remote format.

“Employees are starting to head back into offices, and they’re bringing the devices with which they’ve been working remotely, and plugging the directly into the network,” says Anscombe. “So, there are certain things that companies need to be taking into account. It’s not just about securing access with a VPN; you need to start thinking about bringing devices back into the fold of the network and implementing a zero-trust policy.

“Your user might have been sharing a USB stick or a printer with their partner at home to work more effectively, or they might have been using a mix of personal and business applications on their devices. And maybe you’ve allowed that. But you need to start thinking of those devices as untrustworthy until you can bring them back into the network.”

As well as welcoming employees back into the office, many organizations are embracing the perks of introducing Internet of Things (IoT) devices to the workplace. Well, who wouldn’t want a coffee machine that delivers their favorite brew automatically, at the same time, every day?

But while these devices may help us live more effectively and efficiently, they can also provide attackers with new ways to tap into corporate networks.

“It’s really easy for a department to bring something in and connect it, without realizing that they’ve just introduced something that could become a vulnerability,” explains Anscombe. “It’s very easy to bring in a new coffee machine as part of the catering team, and not think about asking IT whether it’s secure for them to plug in.”

But securing an IoT device on initial connection isn’t enough; organizations also need to keep them updated—a task which often proves to be rather tricky, as Anscombe explains with an analogy:

“If you take your car to the dealer and say, ‘I’d like you to patch my infotainment system’, they’re likely to look at you and say, ‘What? How do you do that, then?’. And there are so many devices that you need to keep updated, that this becomes a massive challenge.

“That’s why you need to hold these devices in that zero-trust distance. It’s about having an understanding of everything that’s connected to your network and having that zero-trust mentality on everything that’s connected until you understand what it is.

“It’s also important to turn off any features that you don’t use. For example, if you buy an IoT security camera and you’re not using the motion sensor, turn the motion sensor off. And if you can’t turn off the features you’re not using, you’ve got the wrong product.”

Cybersecurity Needs A Layered Approach

One of the best ways that an organization can tackle these challenges is by taking a layered approach to their cybersecurity. And, according to Anscombe, there are three prongs to this.

First, businesses must embrace both technological and human layers of protection. We’ll address the tech layer more in a minute, but for now, let’s focus on the human layer, i.e., awareness. Awareness can be the difference between someone sending a threat actor their login credentials for a corporate application, and reporting the request as suspicious to their security team. It can also be the difference between a member of the security team patching a vulnerability, or letting it remain open to exploit, because they weren’t aware it existed or affected them.

“ESET is a research-heavy company; we do a lot of research outside of our products and publish that research on our blog, We Live Security,” says Anscombe. “So, for example, if there’s a critical infrastructure issue, we’ll unpick the malware and try to understand how it works, and we’ll publish our findings on that. And providing that background research is paramount for the wider security industry.”

As well as leveraging industry research and security awareness training, organizations should lean on the expertise of managed service providers (MSPs) to fill their knowledge gaps, says Anscombe. MSPs not only take responsibility for the actual deployment and day-to-day management of the security product they’re offering, but they can offer a wealth of knowledge that organizations—particularly SMBs or those with fewer available security resources—may not have in-house.

Second, it’s important that organizations layer their technological security products to address all attack vectors. These include products designed to identify and protect against endpoint, email, identity and web threats, among others.

Finally, each of the products that an organization implements should apply a layered approach to threat prevention, ensuring that they can detect threats at multiple stages of their lifecycles.

“If you can block the method of delivery, or identify a vulnerability, or look for someone exploiting it, then you can prevent the malware before it’s even entered the device,” Anscombe says. “So, if one layer fails to detect something, you’ve got other layers providing a backup.”

Facing Cyberthreats Requires Preparation And Practice

As we’re increasingly confronted with bold headlines shouting news of devastating, million-dollar cyberattacks against businesses both large and small, it can be easy to feel overwhelmed, or not know where to start in terms of implementing defense—let alone when responding to a security incident. But organizations need not tackle the challenge alone, says Anscombe.

“Find and engage with a partner,” he advises. “You need a good cybersecurity partner, technology provider, MSP or reseller—however you want to define that—on hand, and you need to have built a relationship with them before the incident, so they understand you and you understand them.”

In addition to this, Anscombe recommends that organizations refer to existing cybersecurity frameworks when building their security infrastructures and creating an incident response plan.

“Many of the things you need to do actually live under a framework,” he says. “So, you can use a framework such as NIST as a checklist, to a certain degree, to make sure you’re covering all the elements of the cybersecurity architecture and processes that you need to have in place.”

Finally, Anscombe iterates the need for organizations to practice their incident response processes to ensure that they’re prepared to deal with a real security incident when it happens.

“Run a crisis scenario within your organization and make sure you’re prepared, so that you know your backups are going to work, you know who needs to be in the room when an incident happens, and you know who to call as an outside resource,” Anscombe says.

“When I started my career, I was a bomb warden—we used to run security scenarios frequently, they had us actually putting out fires. Now, we need to understand how to put out those fires in terms of cybersecurity.

“It’s no good having a response plan that’s written down, or that you’ve tested one element of—you need to actually run a full scenario as though you did have an incident.

“Unfortunately, it’s not a matter of if an incident happens—for many, it’s a matter of when. And a lot of companies are not prepared because they haven’t run that scenario.”

Thank you to Tony Anscombe for taking part in this interview. You can find out more about ESET and their comprehensive range of security solutions at their website and via their LinkedIn profile.