cybersecurity Archives

Doing “the basics” is not enough

The landscape of IT security has shifted significantly, yet a sense of apathy remains, rooted in the scaremongering sales tactics of the past decade. Today’s reality is starkly different: every firm and individual is a potential target, and the consequences of lax security are not just damaging but potentially catastrophic, leading to public embarrassment, hefty fines, and severe business disruptions.

Alarmingly, many professional services firms are not adhering to even the basic tenets of Cyber Essentials, a fundamental cybersecurity framework. Worse still, some firms rest on the mistaken belief that compliance with such frameworks alone guarantees security. Cyber Essentials really is ‘just the basics’ – not a badge of being secure.

Technical controls like advanced firewalls and detection systems are prevalent but often give a false sense of security. The analogy of a fortress with an open back window is apt; firms have robust protections in certain areas but unknown critical vulnerabilities in others. The security measures are not as integrated and comprehensive as they should be.

A glaring gap in many firms is the absence of a solid GRC framework and an Information Security Management System (ISMS). IT security is not just about technology; it’s about ongoing processes, risk management, evaluations, reporting, and testing.

Implementing an ISMS, particularly one aligned with ISO 27001, is essential for establishing a strong cybersecurity posture. Utilising key elements of this standard can significantly bolster a firm’s defence against cyber threats, even if you don’t certify against the standard. There’s no reason why every firm shouldn’t at least have a risk register and details of the security controls associated with countering those risks. It seems odd not to do it when you understand how much common sense it makes.

Despite the technical aspects of cybersecurity, the problem is not confined to the IT department, it is a challenge that must be tackled at the board level. Many firms still erroneously view Information Security and Cyber Security as IT issues when they are, in fact, most certainly broad organisational concerns.

It is vital for the business and IT to have a clear understanding of the organisation’s risk posture; identifying all risks faced by the business and the controls necessary to manage them. Regrettably, this level of understanding is often absent within a number of IT and business leadership teams, leading to insufficient risk management strategies. As an example, I’d argue that a significant number of firms don’t appropriately assess the security of their supply chain. This is almost as if they’ve delegated accountability to their suppliers for their firm’s operation; that’s a big statement to make i.e. ‘we are going to close our eyes and hope they’ve got it under control’.

The issue is compounded as many IT teams are currently overwhelmed in firms. They were historically tasked with maintaining operations but are now also burdened with managing numerous transformation projects post-COVID, along with a vast information security landscape to get control of. Many are really struggling, yet the board won’t assign the necessary focus or budget to really get hold of it.

Reassessing IT Security in Professional Services

Conclusion

Professional services firms must urgently re-evaluate their approach to IT security, transitioning from outdated perceptions to a holistic, board-level governance model. This shift is critical not just for the integrity of their IT infrastructure but for the survival and competitiveness of the firm in an increasingly digitized and threat-prone world.

Resolution

In response to the demands of professional service firms, QuoStar’s CISO service has been built to manage all of the key areas highlighted, from the ground up. It’s a comprehensive support service to give the IT team and the firm’s board real confidence that they are managing cyber security appropriately and effectively. In addition, it delivers:

Ongoing senior IT security leadership and guidance.
IASME or ISO 27001 implemented and managed (if desired).
The ability to effectively manage and respond to cyber-security threats.
A defined, ongoing roadmap for cyber-security protection.
All key documentation, policies and processes agreed and in place.
All key parties engaged in security standards implementation.
An overall definition of cyber-security strategy and tactics.
All key stakeholders understand the business objectives.
The ability to formally evidence management of cyber-security
Continual review & evaluation of the threat landscape to control your risk profile.

Microsoft’s premier annual event, Microsoft Inspire 2023, recently concluded, providing industry leaders and partners alike with a glimpse of Microsoft’s vision for the future. There’s no doubt that Microsoft wants to empower individuals worldwide to work in a new AI-driven way, expanding the scope of AI technology to help everyone in various aspects of their roles. In this recap blog, we’ll highlight some of the key takeaways from the event and how it sets the stage for a secure and AI-driven business landscape.

Advancing AI ambitions

Regardless of your feelings about AI technology, it’s hard to ignore the platform change that Satya Nadella (Chairman and CEO at Microsoft) laid out in the keynote speech. The next big shift in our way of working is here – using natural language as our interface with technology, facilitated by AI.

The event marked the launch of two groundbreaking AI-driven solutions, Bing Chat Enterprise and Microsoft 365 Copilot, promising to redefine how we work, delivering increased efficiency for business advantage through AI-driven insights and automation.

During the event, Microsoft detailed the functionalities and pricing of these new tools:

Bing Chat Enterprise: Think of it as Google on steroids, working with both public and private data while maintaining appropriate data governance to ensure your IP is not leaked. Currently available in preview, we expect this to roll out in late 2023 or early 2024 for Microsoft 365 E3, E5, Business Standard, and Business Premium users at no additional cost. For those rare clients without some form of M365 licensing, the standalone offering will be available for $5 per user per month.
Microsoft 365 Copilot: While Bing Chat Enterprise will reference business data and aid you in your day-to-day tasks, Copilot takes it to the next stage of evolution It offers integrated AI that can work with and for you in your native applications, through a natural language interface. Hand off those menial tasks and focus on the exciting stuff. Microsoft has initially released Sales Copilot, with the promise of wider integration to come and we finally know how much it will cost. $30 per user per month for Microsoft 365 E3, E5, Business Standard, and Business Premium clients. While it may feel expensive for some, how and who you deploy it for will be key.
New AI capabilities across Microsoft 365: AI is coming to the rest of the M365 suite, enhancing productivity and engagement with features like Copilot in Teams Phone and Chat, Microsoft Viva updates, Windows 365 Frontline, Microsoft 365 Backup, and Microsoft 365 Archive.

To learn more, read the blog post by Colette Stallbaumer, General Manager, Microsoft 365 and Future of Work here.

Microsoft Chairman and CEO Satya Nadella speaks to partner attendees at Microsoft Inspire 2023.

Judson Althoff, Microsoft executive vice president and chief commercial officer, speaks to partner attendees at Microsoft Inspire 2023.

Embracing the future of security with AI

Emerging technologies are rapidly evolving, and cybersecurity has become more crucial than ever before. Microsoft Inspire cast a spotlight on the future of security powered by AI, highlighting the unique opportunity to harness AI’s power alongside an end-to-end security solution for building a resilient security posture with rapidly adaptable defences.

Based on Microsoft’s internal data, cyber-attacks are rapidly adopting automation through AI-assisted tools. The number of password attacks detected by Microsoft has surged significantly, growing over threefold in the past year, from 1,287 per second to more than 4,000 per second. As a result, the cost of cyberattacks is continuously rising. If organisations stick to outdated security measures and only rely on past strategies, they may leave vulnerabilities in their security posture.

Partners and clients were introduced to valuable resources to strengthen their defences against ever-changing threats. They showed how using AI can help to spot and stop potential risks before they become a problem. They also emphasised the importance of safeguarding critical data and customer information. Throughout the event, it was clear that Microsoft is dedicated to empowering businesses with smart security solutions.

For the full details, read the announcement here to learn more.

Nicole Dezen, Microsoft corporate vice president and chief partner officer, speaks to partner attendees at Microsoft Inspire 2023.

Conclusion

Microsoft Inspire 2023 revealed a series of key announcements and technologies, showcasing the tech giant’s dedication to AI advancements and comprehensive security solutions. From fortified cybersecurity measures to innovative AI tools elevating collaboration and productivity, Microsoft is continuously pushing the boundaries in the tech space.

As the digital landscape continues to evolve, embracing these transformative technologies becomes crucial for achieving business success in today’s competitive environment. Sure, these technologies can be exciting, but we get it – they can also feel overwhelming, and you don’t have to navigate it alone.

The risks of – and the potential fallout from – a cyber-attack is enough to keep any company director awake at night.

The costs of a breach can be huge, costing UK enterprises an average of £4.09 million per breach, according to IBM’s Cost of a Data Breach study.

These figures are not surprising when you consider lost productivity and revenue, response, forensics, recovery, communications, data breach fines, and various other costs. Even a company with 100 employees can be looking at hundreds of thousands of pounds, just to get back to where they were before an event, such as from a ransomware attack.

Together with the significant reputational damage that can follow a data breach, the level of risk and likelihood means that most organisations have some form of cyber insurance to cover these substantial costs.

But as the number of cyber insurance pay outs grows, insurers are looking at ways to not pay out, or at least not for the full amount of damage. This is understandable in cases where a board has been negligent and not managed the risks, just as a motor insurer would not pay out where a driver had failed to get an MOT or put road legal tyres on their car.

Your responsibility to control risk

All cyber insurance providers expect policy holders to take responsibility for evaluating and mitigating risks.

Insurers expect best-practice cyber security controls to be in place, which typically includes the ‘absolute basics’ such as Cyber Essentials. This also means keeping on top of security operations year-round, not just a tidy up and certification every year or so.

If the basics are not in place at the time of a breach, then many insurers will not pay out. On top of this, the ICO and other regulators are likely to hand out significant fines. These amounts aren’t insignificant, as the ICO alone can hand out a data breach fine of £17.5 million, or 4% of an organisation’s total annual worldwide turnover, whichever is higher.

Cyber security basics should be viewed as seriously as other risk controls in your business, such as a fire alarm that is regularly serviced and tested.

Common cyber security measures

For a cyber liability policy to pay out in a breach scenario you need to check the small print. However, here are common areas that are going to have an impact on any claim:

Patches and Updates

Firewall Protection – IT equipment must be protected from unauthorised access by a suitable firewall. The firewall needs security updates and other updates at least once a month, if not automatically. An insurer will almost certainly not pay out if the firewall is not up to date at the time of a loss.
Software updates –It’s best practice to patch and update software and it is a standard cyber insurance term to mitigate known vulnerabilities. Important updates to firmware, operating systems, and other software must usually be installed within 14 days of being released by the vendor or provider. Some insurers will insist on seven days, which can be a tough clause to manage in some environments, so keep an eye out for this.
Tablets, phones, and other devices – It’s important that tablets, phones, and any other devices with access to your network are updated or kept off the corporate network. Your organisation is responsible for who and what connects to its network. If your network is breached from an insecure work or personal device, then your insurance could be void.
Outdated operating systems – Outdated operating systems and software that is no longer supported by the vendor in terms of security updates is going to invalidate insurance if they are breached.

Users and Passwords

Change default passwords – If you have default passwords or use the password that came with an IT device when it was purchased, then your policy will be invalid. There are large databases on the internet that list all these default passwords, and these are always a go-to for hackers and automated attacks.
Individual ID and password –It can be common for some users to share logins and passwords to certain systems, and for conference room PCs to have shared logins. These shared credentials are unacceptable as they are a common cause of a breach. It also makes the source of a breach difficult to trace.
Limiting access – System users should only have access to what they need, particularly logon credentials with enhanced security rights, such as administrator rights. It’s particularly important that users don’t have administrator rights on the device they log in to as that’s an easy way for an attacker, who may be an employee, to gain control of a machine and then the wider network and systems. Organisations will need to prove that administrator accounts are controlled and that passwords are changed regularly.
Work laptops should be controlled – Only authorised users should be able to use work devices. This will need to be controlled via policy and login restrictions. An employee’s child downloading and installing a game with ransomware on to a work device could lead to the insurance being invalidated.

Data Backup

Cyber insurance policies will always cover the backup and protection of data. They will typically include:

Two copies of backup data at different locations – It’s standard to expect two separate copies of backup data to be stored. One can be local to the IT environment, but another should be taken or backed up off-site, such as on a cloud backup platform. It’s increasingly common for insurers to ensure that backup data is air-gapped, so if someone gains access to your systems, they cannot get access to the backups. It’s common for ransomware attacks to seek and encrypt backups quickly.
Frequency of data backup –It’s usual to backup data daily, if not continually, in most modern IT environments. If your data is critical, then an insurer would want to know why you have not backed-up regularly.
Backup checks – It’s critical that you regularly evaluate your backups to make sure everything that needs to be is backed up. It’s even more critical to ensure that your backups are working as expected. Many systems will send automatic alerts, but it’s still worth doing a manual check and restore every now and again.
Virus Protection –Cyber insurance terms typically state that anti-virus software should be in full and effective operation at the time of a loss. It should also be noted that many insurers are now asking that businesses have at least EDR (Endpoint Detection and Response), which is a typically more advanced antivirus solution, supported by a specialist organisation. In fact, it’s generally considered a security basic now, as antivirus was 20+ years ago.

Pre-existing problems

Cyber insurance will not pay out if you are aware of, or ought to have reasonably known about, a pre-existing issue, prior to the cyber insurance being taken out. This is particularly important if you’ve had security audits undertaken in the past but not dealt with any issues highlighted. Too often organisations know they have issues but still take out insurance as a way of mitigating spend on security controls. This is a bad idea.

Previous breaches

If you’ve been breached before it will impact your insurance, as there could always be something waiting to deploy at a particular time, or a hole left in the environment. You must declare if you have had a breach, usually over the last three years.

What can reduce premiums?

There are key areas that can make a real difference to your cyber insurance premiums and your security posture, such as:

Multifactor authentication, particularly for remote access and administration accounts
Privileged Access Management (PAM)
Endpoint Detection and Response (EDR)
Secured, tested and encrypted backups
Email filtering and web security
Patch and vulnerability management
Cyber incident response planning and testing
Cyber security awareness testing and phishing testing
Security Information and event management solutions
Vendor and supply-chain risk management

All the above are sensible security controls that should already be in place in organisations of all sizes.