Safeguarding Organisations from Cyberattacks
Published on : Tuesday 02-02-2021
How to reduce cyber risk for corporates, start-ups and small businesses with a small cybersecurity budget affected by Covid-19? Athul Jayaram elaborates.
In 2020, we faced the Covid-19 epidemic that took away the lives of over 2 million people worldwide. The technology sector was also affected by this. We saw more corporations struggling, millions of people lost their jobs. The positive thing is that many organisations made their employees work from home. Some technology organisations provided grants for employees to work from home for internet connection, laptop, and desk. Customer-facing organisations were affected the most, as observed there was a significant decrease in the customers visiting them. This was also the period where we saw some of the huge cyberattacks. Cyberattacks are increasing at a larger number as observed in 2020.
Cyber risk is mostly managed by the tech team or the CTO in small organisations or startups, bigger organisations do have CISO or CSO. This person has to keep a check on the overall security posture of the organisation. Organisations such as banking, finance need to have critical security monitoring, considering the higher impact and risk. Today hackers are more interested in data than currency. It may be coincidence organisations are also interested in your data.
Almost all the apps and social media platforms value increase mainly by the number of users they have, the more data they have about a person, the more is the value. As some of the organisations define “Data as the new oil”, all organisations are at a point they want to learn more about you. Companies do not mind giving you freebies so that you reveal more about yourself. Some organisations collect your chats, photos, videos, GPS location, names of people you talk to and so more. Imagine having terabytes of data about you, the same data can be used to predict what you may be doing next, which product you will buy. All the collected data is present in servers and accessible to the organisation via backends. If a hacker compromises your server, all the data you have collected about your customers may be leaked to the public including your competitors. The worst situation is for the customers whose data including credit card numbers, phone numbers, addresses, or any other private information is leaked. Cybercriminals may use your credit card numbers and perform transactions on your behalf.
As a CISO/CIO, the important thing to do first, is to conduct a regular vulnerability assessment and penetration testing of your servers, backends, and customer-facing applications using your internal team. Well, today most vulnerabilities are found by an external team, who tries to attack your server from outside your organisation. This can be a good simulation of the real-world scenario where hackers attack your organisation from outside your organisation. Hackers are mainly of two types – blackhat hackers and whitehat ethical hackers. Blackhat hackers are the equivalent of cybercriminals who steal data from organisations and sell it to third parties especially on the dark web. Whitehat hackers are ethical hackers who find vulnerabilities in your organisation and report it directly to you without disclosing them to third parties and offer a monetary reward to the informer. Today many global organisations have a bug bounty program to let ethical hackers and security researchers find vulnerabilities and report them back to the organisations. It has helped improve the security of organisations at a faster level.
.jpg)
Organisations need to increase the security budget. It is observed that many organisations have reduced cybersecurity spendings, as revenue has decreased since Covid-19. CISO’s need to know reducing cybersecurity annual budget increases the cyber risk of the organisation. It is observed that organisations with a billion-dollar revenue, spends less than 1% on the cybersecurity budget. The bigger the organisation the more should be the cybersecurity spending. Recently many well-known organisations with billion-dollar revenue were hacked by cybercriminals. Later investigation revealed they did not pay any reward to ethical hackers who reported vulnerabilities to them. It shows that the organisation does not care about cybersecurity. Well, ethical hackers won’t misuse the findings, but if the vulnerabilities are left as such, blackhat hackers may find the vulnerabilities and exploit them.
Let me explain it with my example. I am a whitehat ethical hacker, I do report vulnerabilities to organisations who give monetary reward or not. Often, organisations pay a reward, I consider it is a token of appreciation and feel to find more vulnerabilities and report to them. As a result, I find more vulnerabilities of the organisation and the organisation’s overall security posture increases at a quicker rate. Whitehat ethical hackers such as me are self-employed, in fact improving the security of other organisations is what we do. Whitehat ethical hackers also have bills to pay, families to maintain. Some do such work as part-time along with a full-time job. Though a full-time job gives them financial security, they will lose work-life balance.
Though the budget may be reduced for cybersecurity, the best thing an organisation can do is to hire a security researcher with penetration testing experience either on a contract or a full-time job. They can work remotely and this would be the best investment for the organisation, as the security researcher will use his skills to find any vulnerabilities which your organisation may be exposing and report them to you. Then the CISO can review the report and ask the development team to fix the vulnerabilities. The skills of the security researcher will play a key role in uncovering vulnerabilities. If a CISO has an assumption that firewalls will protect your organisation from hackers, well this is a wrong notion, as most firewalls can be bypassed and data can be extracted.
Organisations with a good cybersecurity budget purchase many expensive SAAS, firewalls to protect the organisation from being hacked. Such SAAS may increase the risk of your organisations since if there is a zero-day attack vector known to hackers, then your organisation might get hacked more quickly than before. It will be appropriate to run a bug bounty program where researchers are rewarded for finding vulnerabilities. Even if you have a limited cybersecurity budget, the bug bounty program can be implemented, as the organisation only needs to pay for the vulnerabilities that are found. This can be a cost-effective solution with full benefits for the organisation.
CISOs do buy security solutions from the same vendors, say antivirus, firewall, and endpoint protection solutions from the same vendor. Vendors do provide discounts for buying multiple products. Often threat protection solutions from the one vendor have a database, where all the threat data is shared across all its products. This may increase the risk of your organisation. It is recommended to use a product from different vendors, as the threat detection and threat signature data will be different across the products.
There are CISOs who are confident that their product is safe and no can hack their business or steal their data. No organisation is 100% safe or secure. It takes the right security researcher to find a vulnerability. These days if we observe even tech giants have vulnerabilities, these applications are developed by the most experienced software engineers and web developers. So also, there is a need for secure coding practices – this is essential. It is often the security errors or mistakes made by developers that lead to vulnerabilities. Bigger organisations give contracts to big four consulting companies to protect their business and applications. Though the big four consultants bill huge amounts to the organisations, the security will be always at risk. This is because big four companies have multiple clients, leading to less time they can focus on your project. It is always recommended to give a contract also to small businesses who can give their full time protecting your business at a lower cost.
Athul Jayaram is the founder of SecurityInfinity, a cybersecurity company based in the US. He is the author of the book, "How to protect your business online". He is a Security Expert, Security Researcher, Ethical Hacker, Entrepreneur, Software Engineer, and Ex- Deloitte Cyber Risk Consultant. He is currently a self-employed security researcher, ranked top 100 in ethical hacking platforms.
CVE-2019-2706 was issued by Oracle for his critical vulnerability discovered in the Middleware used by Corporate Applications. Featured in Hall of Fames and Acknowledged by Google, Microsoft, Sony, Intel, Nokia, Lenovo, Oracle, and many others.
