The UK government’s recent Cybersecurity Breaches Survey of 2021 found that during the pandemic, cybersecurity preparedness actually declined – even as the number of attacks increased. Malcolm Orekoya, CISM, CISSP, Chief Technology Officer, NetUtils, explains why and how SMEs need to make sure their cyberdefences are up to scratch.
Late last year, ahead of the foundation of the UK’s first National Cyber Force, Prime Minster, Boris Johnson, said: “…the UK must be able to protect itself and adapt to the swiftly evolving cyberthreat landscape. Every year we see increasing numbers of high-profile cyberattacks from threat actors both in and out of the UK.” Within three weeks of his ambitious announcement, FatFace, a British lifestyle clothing and accessories retailer based in Hampshire was hacked and forced to pay out a £1.45 million ransomware demand after an organised cybercrime gang locked it out of its systems and harvested 200GB of sensitive data.
FatFace is just one example of why according to a recent survey by McKinsey and Company, cybersecurity is now a top four priority for company boards to meet the needs of customers, partners, shareholders and increasingly, regulators. Unfortunately, smaller firms often face the greatest challenge. Recruitment and retention of good cybersecurity staff is difficult – especially for SMBs with slimmer budgets and less staffing capacity. This skills shortage is not just a problem confined to the UK. According to the 2020 Cybersecurity Workforce Study, even though an additional 700,000 skilled workers joined the talent pool last year, the study indicates a global shortfall of 3.21 million and a UK deficit of 27,000 vacancies as of April 2020.
Although there are many roles within cybersecurity, the main area of shortage is information security analysts; those responsible for providing security solutions for their companies. Typical duties include undertaking security focused research, collecting threat intelligence, developing secure strategies and maximising productivity. Infosec analysts are generally charged with implementing security principles while following strict privacy policies, with more adept practitioners often using advanced skills to proactively uncover security threats and network vulnerabilities. Even with an average annual salary of around £32,000, recruiting a competent analyst is still a challenge.
Supply is stretched further by businesses becoming 24/7 in nature. The typical 9 to 5 role tends not to apply to cybersecurity staff who must be available to react at relatively short notice if there is an alert to indicate a breach. Managing cybersecurity is not a core function for most organisations and this additional burden can potentially ramp up costs further as businesses need to either hire enough staff to cover a full day or alternatively find an out-of-hours service to cover the gap.
Ostrich approach
Unfortunately, many organisations are simply ignoring the risk. The UK government’s recent Cybersecurity Breaches Survey of 2021 found that during the pandemic, cybersecurity preparedness actually declined – even as the number of attacks increased. The report found that preventative measures such as testing staff through mock phishing exercises, carrying out cybersecurity vulnerability audits and reviewing cybersecurity risks posed by suppliers had dropped by between 20% to 30% compared to the previous year. While four in ten businesses (39%) report having cybersecurity breaches or attacks in the last 12 months with medium-sized businesses (65%) the most vulnerable.
In response to these challenges, a growing number of organisations are instead switching to various forms of managed security services to deliver a defined level of protection within a fixed cost. This is a sector that is growing rapidly and according to estimates from the UK Department of Digital, Culture, Media and Sport, there are 1,483 firms active within the UK providing cybersecurity products and services – an increase of 21% since last years (2020) report and a 75% increase since 2017. Most firms offering cybersecurity skills are SMEs, with around 80% of these firms having less than 50 staff. Unlike, large scale utilities, delivering cybersecurity expertise tends to require a closer relationship to the end-customer and as such – this tailored approach better suits smaller businesses rather than larger entities.
Just about managing
The fastest growing segment is managed security services providers (MSSPs) that tend to offer a broad range of cybersecurity services such as endpoint protection, managed firewalls, vulnerability and patch management. To deliver these services, most will run some kind of Security Operations Centre (SOC) which according to the UK’s National Cybersecurity Centre is a facility where enterprise information systems such as websites, servers and networks are monitored, assessed and defended. Depending on the nature of the SOC, organisations may offer a variety of services including monitoring, detection, threat hunting, incident management, log analysis, forensic imaging, malware analysis, reverse engineering, mitigation advice and general good practice guidance.
Larger enterprises tend to build and staff their own SOC, but this is often cost prohibitive to smaller businesses, which are instead using managed SOCs that look after several customers using a single centralised team of experts. A managed SOC will perform several key tasks, the first is to detect and prevent attacks while keeping the information held on systems and networks secure. This, in turn, will increase resiliency by learning about the changing threat landscape, including malicious and non-malicious, internal and external threats. Lastly, the SOC will be able to react to an attack that results in a breach with a response plan to contain any potential damage.
There are many advantages to taking a managed SOC rather than building your own. Firstly, it allows access to better cybersecurity technology and processes for a fixed fee because the running costs are effectively shared among all the customers that benefit from the SOC. This will also include a Service Level Agreement (SLA) which will provide a set of contractually agreed services within a specified time frame.
A managed SOC will also handle all staff training and manage scheduling to overcome personal time off (PTO) or staff sickness, which are difficult to cover without the use of expensive contractors. The SOC team can also scale quickly to an event and bring in additional expertise to deal with a problem when needed.
Lastly, a managed SOC, like any other utility-based service can scale up – and down as business needs change. So, for example, if the number of staff declines or a company switches to more cloud-based applications instead of running their own servers, than the level of SOC coverage can also be reduced.
Every rose has a thorn
However, a managed SOC does have a few issues to consider. For larger organisations with mature cybersecurity skills, an in-house SOC may be better while potentially offering a more cost-effective option. Keeping and nurturing expertise in-house can help build highly skilled teams that are much more adept at understanding their own respective environments.
With a growing number of suppliers across the UK offering cybersecurity professional services of some sort, it can be difficult to judge the effectiveness of any service provider. So, as you would with any other supplier, it is worth doing proper due diligence. A good indicator is to ensure that any supplier is accredited with valid certification to ISO 9001, an international standard that specifies requirements for a quality management system (QMS) that is held by over one million companies and organisations in over 170 countries.
And more specifically for IT services, a supplier should also have ISO/IEC 27001, an international standard on how to manage information security. For organisations within the public sector, it is also advisable to work with a registered Crown Commercial Service supplier as this will make contract negotiations, terms and conditions a bit easier to manage.
On this last point, it is also worth finding out up front what is covered within any contract. Some services may only include monitoring, but not necessarily fixing the mess left by a cyberattack or ransomware extortion attempt. It is also important to understand that any of these services reduce risk but cannot 100% guarantee that your organisation won’t get hacked – anybody who tells you otherwise – also has a bridge for sale.
Clear and present danger
Unfortunately, as more social and business activities head online, there has been a consequent rise in cybercrime. Ignoring the issue won’t make it go away, although small businesses may feel that criminals will choose more appetising targets. The blunt truth is that juicier prey is often better protected and poses more risk of getting caught. And it’s not just about the damage to reputations faced by cyberbreaches, the Cybersecurity Breaches Survey 2020 research found that where cyberattacks caused material outcomes within medium and large firms combined, the average (mean) cost across the year is an estimated £13,400. With pause for thought, maybe it’s time to pull your socks up and do something proactive about your cyberdefences.
Click below to share this article