Doing “the basics” is not enough

The landscape of IT security has shifted significantly, yet a sense of apathy remains, rooted in the scaremongering sales tactics of the past decade. Today’s reality is starkly different: every firm and individual is a potential target, and the consequences of lax security are not just damaging but potentially catastrophic, leading to public embarrassment, hefty fines, and severe business disruptions.

Alarmingly, many professional services firms are not adhering to even the basic tenets of Cyber Essentials, a fundamental cybersecurity framework. Worse still, some firms rest on the mistaken belief that compliance with such frameworks alone guarantees security. Cyber Essentials really is ‘just the basics’ – not a badge of being secure.

Technical controls like advanced firewalls and detection systems are prevalent but often give a false sense of security. The analogy of a fortress with an open back window is apt; firms have robust protections in certain areas but unknown critical vulnerabilities in others. The security measures are not as integrated and comprehensive as they should be.

A glaring gap in many firms is the absence of a solid GRC framework and an Information Security Management System (ISMS). IT security is not just about technology; it’s about ongoing processes, risk management, evaluations, reporting, and testing.

Implementing an ISMS, particularly one aligned with ISO 27001, is essential for establishing a strong cybersecurity posture. Utilising key elements of this standard can significantly bolster a firm’s defence against cyber threats, even if you don’t certify against the standard. There’s no reason why every firm shouldn’t at least have a risk register and details of the security controls associated with countering those risks. It seems odd not to do it when you understand how much common sense it makes.

Despite the technical aspects of cybersecurity, the problem is not confined to the IT department, it is a challenge that must be tackled at the board level. Many firms still erroneously view Information Security and Cyber Security as IT issues when they are, in fact, most certainly broad organisational concerns.

It is vital for the business and IT to have a clear understanding of the organisation’s risk posture; identifying all risks faced by the business and the controls necessary to manage them. Regrettably, this level of understanding is often absent within a number of IT and business leadership teams, leading to insufficient risk management strategies. As an example, I’d argue that a significant number of firms don’t appropriately assess the security of their supply chain. This is almost as if they’ve delegated accountability to their suppliers for their firm’s operation; that’s a big statement to make i.e.  ‘we are going to close our eyes and hope they’ve got it under control’.

The issue is compounded as many IT teams are currently overwhelmed in firms. They were historically tasked with maintaining operations but are now also burdened with managing numerous transformation projects post-COVID, along with a vast information security landscape to get control of. Many are really struggling, yet the board won’t assign the necessary focus or budget to really get hold of it.

Conclusion

Professional services firms must urgently re-evaluate their approach to IT security, transitioning from outdated perceptions to a holistic, board-level governance model. This shift is critical not just for the integrity of their IT infrastructure but for the survival and competitiveness of the firm in an increasingly digitized and threat-prone world.

Resolution

In response to the demands of professional service firms, QuoStar’s CISO service has been built to manage all of the key areas highlighted, from the ground up. It’s a comprehensive support service to give the IT team and the firm’s board real confidence that they are managing cyber security appropriately and effectively. In addition, it delivers:

• Ongoing senior IT security leadership and guidance.
• IASME or ISO 27001 implemented and managed (if desired).
• The ability to effectively manage and respond to cyber-security threats.
• A defined, ongoing roadmap for cyber-security protection.
• All key documentation, policies and processes agreed and in place.
• All key parties engaged in security standards implementation.
• An overall definition of cyber-security strategy and tactics.
• All key stakeholders understand the business objectives.
• The ability to formally evidence management of cyber-security
• Continual review & evaluation of the threat landscape to control your risk profile.

The risks of – and the potential fallout from – a cyber-attack is enough to keep any company director awake at night. 

The costs of a breach can be huge, costing UK enterprises an average of £4.09 million per breach, according to IBM’s Cost of a Data Breach study.  

These figures are not surprising when you consider lost productivity and revenue, response, forensics, recovery, communications, data breach fines, and various other costs. Even a company with 100 employees can be looking at hundreds of thousands of pounds, just to get back to where they were before an event, such as from a ransomware attack.  

Together with the significant reputational damage that can follow a data breach, the level of risk and likelihood means that most organisations have some form of cyber insurance to cover these substantial costs.  

 But as the number of cyber insurance pay outs grows, insurers are looking at ways to not pay out, or at least not for the full amount of damage. This is understandable in cases where a board has been negligent and not managed the risks, just as a motor insurer would not pay out where a driver had failed to get an MOT or put road legal tyres on their car.  

Your responsibility to control risk

All cyber insurance providers expect policy holders to take responsibility for evaluating and mitigating risks.  

Insurers expect best-practice cyber security controls to be in place, which typically includes the ‘absolute basics’ such as Cyber Essentials. This also means keeping on top of security operations year-round, not just a tidy up and certification every year or so. 

If the basics are not in place at the time of a breach, then many insurers will not pay out. On top of this, the ICO and other regulators are likely to hand out significant fines. These amounts aren’t insignificant, as the ICO alone can hand out a data breach fine of £17.5 million, or 4% of an organisation’s total annual worldwide turnover, whichever is higher. 

Cyber security basics should be viewed as seriously as other risk controls in your business, such as a fire alarm that is regularly serviced and tested. 

Common cyber security measures

For a cyber liability policy to pay out in a breach scenario you need to check the small print.  However, here are common areas that are going to have an impact on any claim: 

Patches and Updates

• Firewall Protection – IT equipment must be protected from unauthorised access by a suitable firewall. The firewall needs security updates and other updates at least once a month, if not automatically. An insurer will almost certainly not pay out if the firewall is not up to date at the time of a loss.
• Software updates –It’s best practice to patch and update software and it is a standard cyber insurance term to mitigate known vulnerabilities. Important updates to firmware, operating systems, and other software must usually be installed within 14 days of being released by the vendor or provider. Some insurers will insist on seven days, which can be a tough clause to manage in some environments, so keep an eye out for this.
• Tablets, phones, and other devices – It’s important that tablets, phones, and any other devices with access to your network are updated or kept off the corporate network. Your organisation is responsible for who and what connects to its network. If your network is breached from an insecure work or personal device, then your insurance could be void. 
• Outdated operating systems – Outdated operating systems and software that is no longer supported by the vendor in terms of security updates is going to invalidate insurance if they are breached. 

Users and Passwords

• Change default passwords – If you have default passwords or use the password that came with an IT device when it was purchased, then your policy will be invalid. There are large databases on the internet that list all these default passwords, and these are always a go-to for hackers and automated attacks.
• Individual ID and password –It can be common for some users to share logins and passwords to certain systems, and for conference room PCs to have shared logins. These shared credentials are unacceptable as they are a common cause of a breach. It also makes the source of a breach difficult to trace.
• Limiting access – System users should only have access to what they need, particularly logon credentials with enhanced security rights, such as administrator rights. It’s particularly important that users don’t have administrator rights on the device they log in to as that’s an easy way for an attacker, who may be an employee, to gain control of a machine and then the wider network and systems. Organisations will need to prove that administrator accounts are controlled and that passwords are changed regularly.
• Work laptops should be controlled – Only authorised users should be able to use work devices. This will need to be controlled via policy and login restrictions. An employee’s child downloading and installing a game with ransomware on to a work device could lead to the insurance being invalidated.

Data Backup

Cyber insurance policies will always cover the backup and protection of data. They will typically include: 

• Two copies of backup data at different locations – It’s standard to expect two separate copies of backup data to be stored. One can be local to the IT environment, but another should be taken or backed up off-site, such as on a cloud backup platform. It’s increasingly common for insurers to ensure that backup data is air-gapped, so if someone gains access to your systems, they cannot get access to the backups. It’s common for ransomware attacks to seek and encrypt backups quickly.
• Frequency of data backup –It’s usual to backup data daily, if not continually, in most modern IT environments. If your data is critical, then an insurer would want to know why you have not backed-up regularly. 
• Backup checks – It’s critical that you regularly evaluate your backups to make sure everything that needs to be is backed up. It’s even more critical to ensure that your backups are working as expected. Many systems will send automatic alerts, but it’s still worth doing a manual check and restore every now and again.
• Virus Protection –Cyber insurance terms typically state that anti-virus software should be in full and effective operation at the time of a loss. It should also be noted that many insurers are now asking that businesses have at least EDR (Endpoint Detection and Response), which is a typically more advanced antivirus solution, supported by a specialist organisation. In fact, it’s generally considered a security basic now, as antivirus was 20+ years ago.

Pre-existing problems

Cyber insurance will not pay out if you are aware of, or ought to have reasonably known about, a pre-existing issue, prior to the cyber insurance being taken out. This is particularly important if you’ve had security audits undertaken in the past but not dealt with any issues highlighted. Too often organisations know they have issues but still take out insurance as a way of mitigating spend on security controls. This is a bad idea. 

Previous breaches

If you’ve been breached before it will impact your insurance, as there could always be something waiting to deploy at a particular time, or a hole left in the environment. You must declare if you have had a breach, usually over the last three years. 

What can reduce premiums?

There are key areas that can make a real difference to your cyber insurance premiums and your security posture, such as: 

• Multifactor authentication, particularly for remote access and administration accounts 
• Privileged Access Management (PAM) 
• Endpoint Detection and Response (EDR)
• Secured, tested and encrypted backups 
• Email filtering and web security 
• Patch and vulnerability management 
• Cyber incident response planning and testing 
• Cyber security awareness testing and phishing testing 
• Security Information and event management solutions 
• Vendor and supply-chain risk management 

All the above are sensible security controls that should already be in place in organisations of all sizes. 

If your organisation is considering SD-WAN (Software-defined Wide Area Network), then effective networking and built-in security should be integral to your decision.

In partnership with Fortinet, QuoStar is one of 15 SD-WAN specialised partners in the UK. We offer a solution that achieves safer, more cost-effective and efficient SD-WAN implementation. Here’s how:

SD-WAN explained

With dispersed workforces, new digital tools and cloud adoption at an all-time high, many organisations are turning to SD-WAN. This virtual WAN architecture brings together existing internet connectivity options, such as MPLS, Broadband, DIA and LTE, to securely connect users to applications, while simplifying the control and management of this connectivity.

SD-WAN solutions help to remove complex and expensive routing, cut down on hardware costs and remove expensive MPLS networks. They can also greatly enhance access to Software as a Service (SaaS) and other cloud-based services and help to minimise downtime.

The issue

However, many available SD-WAN networking solutions have little or no built-in security, which can lead to organisations adding a range of disparate tools to address these risks. This increases capital expenditure, raises complexity and creates potential gaps for cyberattacks.

A fully integrated, secure SD-WAN solution is the best way to ensure effective protection, operational efficiencies, and on-going readiness for evolving network demands.

QuoStar’s SD-WAN solution

Working in partnership with Fortinet, who have been recognised by Gartner as a Leader in the 2022 Gartner Magic Quadrant for SD-WAN for a third year in a row, QuoStar’s SD-WAN solution brings extra security protection and enhanced performance to the existing benefits of SD-WAN. These improvements include:

1. Protection at all edges

Native security for both on-premises and cloud-delivered services, to provide flexible, secure access for a distributed workforce working on and off the network. Unified orchestration capabilities further provide end-to-end visibility and control of the network environment.

2. A world-class user experience

Our solution overcomes WAN impairments at all edges using our comprehensive self-healing SD-WAN as well as AIOps and Digital Experience Monitoring (DEM). There are no network slowdowns thanks to our purpose-built security processing units, and application performance is maximised with artificial intelligence and machine learning.

3. Reduced costs and complexity

Significantly lower operational complexity and low total cost of ownership is achieved with converged networking and security. Our unified SD-WAN solution secures remote workers and on-premises users with consistent policies.

You should investigate SD-WAN if:

• You’re a largely distributed company experiencing network problems.
• You’re particularly vulnerable to internet outages.
• Your internet connectivity costs need to be revaluated.
• You want to simplify the branch architecture.
• You’re in the market to affordably expand your company’s network.
• Your company needs to scale quickly and easily.
• You would like to enable reliable user experience on any transport with rich routing and advanced WAN remediation for self-healing networks
• SD-WAN control and management across multiple locations is providing a challenge for businesses with IT resources facing skill gaps

It’s time to let go of the view that multi-factor authentication (MFA) provides enough security.

Hackers have the means to steal passwords, hijack users’ sign-in sessions and bypass the authentication process entirely, even when MFA is enabled. Adversary-in-the-middle (AiTM) attacks may be nothing new, but the ability of criminals to bypass MFA is.

What’s new?

Attackers can now intercept the legitimate session cookie issued by a real website, along with the authentication token.

The sophistication of these modern AiTM attacks has been highlighted by Microsoft, who explain how AiTM phishing attacks work.

In simple terms:

1. An attacker sends a cleverly crafted email (phishing attack) which looks legitimate
2. An unsuspecting user clicks on this link, which takes them to the attackers’ ‘spoof’ website
3. The attackers’ website silently and transparently forwards on the request to the real site (Office365, Google etc) for authentication
4. The user sees the real website and enters their credentials to authenticate

The attacker can now silently intercept this data while it passes through their website

Cookie theft

Ever wondered how you can launch Edge or Chrome and navigate to your Office 365 email without being prompted for authentication? Or launch Outlook or Teams without being prompted for authentication?

This is because you have already done that once and have a safely stored session cookie which is valid for a set number of days.  This is what the attacker is after and once they have it, they have easy, instant access to your email or Teams account.

Build multiple layers of protection

A multi-layered approach to security is the key. Relying on a single security mechanism such as MFA is like putting all your eggs in one basket. You need to reduce the possibility of security compromise by adding more control layers.

1. Enable MFA if you haven’t done so already. Without this, it’s like having a toy padlock on your front door.
2. Raise awareness. This is the most effective and essential step of all. Educate users on how to spot phishing emails and when they should and shouldn’t enter their credentials.
3. Implement advanced email filtering. Reduce the chance of attacker emails reaching users’ mailboxes by deploying Content Filtering, Sender Filtering and Safe Links. These are must-haves.
4. Implement a Web Proxy. These may be usually considered a mechanism to stop people accessing Facebook or eBay during working hours, but when combined with Deep SSL Inspection, a Web Proxy can inspect all traffic leaving the organisation and track known suspicious or malicious content and sites.
5. Implement EDR. Next Generation anti-virus/anti-malware technologies with an Endpoint Detection and Response (EDR) service overlay can detect threats in your networking environment and respond to them appropriately, automatically, and ideally with a human interaction when required.
6. Implement Microsoft Conditional Access Security Defaults. Conditional Access policies allow IT admins to create conditions before events, such as authentication, can be accepted. This could include enforcing MFA when logging into any Azure integrated Cloud App, including Office 365, to block sign-ins from untrusted locations or from unknown devices.
7. Implement Least Privilege. If an attacker manages to penetrate all these layers you can still limit the damage done. If the end user does not have local admin rights, then there’s a good chance that the attacker will not have these when they compromise that machine. Another, possibly even more important, step is admin account separation

None of these controls are particularly new. They are in essence good practice and should be implemented as a base standard in all sizes of IT estate. The majority shouldn’t even cost significantly to implement if anything.