Having worked at the sharp end of the cyber security industry for over 20 years, conventional wisdom suggests that we should have learnt lessons and come a long way in protecting our businesses, assets and critical national infrastructure (CNI). The truth is that while we have made great progress, cyber criminals are still one step ahead and too many companies make it easy for them by not doing the basics. This includes patching, multifactor authentication, segmentation, network hardening, and more.
So, while 2021 has been unique and challenging in many ways, it has also been depressingly familiar. Our penetration testing and red teaming exercises discover the same issues and vulnerabilities time after time. Many organisations that are sold a promise and invest hundreds of thousands of pounds in new cyber security technology are often left with a false sense of security. In reality, very few companies enjoy the levels of protection they think they have.
Cyber security has always been and remains a business problem first and foremost, rather than a technology one. It’s about having the security dial in the right place in the context of the business’s needs and risk appetite. To do this, business leaders first need to understand the risks and the value of their data assets to attackers to make informed decisions and justify investment in the right places.
But for many companies, it takes the hardest lesson of all – when they get attacked – to wake up, respond and take action. And it can be drastic. Companies hit by ransomware attacks – whatever their size – face a crisis that can be extremely costly, time-consuming and mentally exhausting.
It’s far better to learn from others and be proactive rather than reactive. And there are positive signs with a move away from the traditional checkbox approach to security to more outcomes-based security. This is where regulators and authorities define the desired outcomes rather than simply prescribing measures to get there.
It’s the difference between being told you need a 6ft fence to being told you need to do whatever it takes to keep people out. This change is being driven by regulator schemes such as CBEST in banking and financial services and similar initiatives in other industries, such as telecoms, aviation and energy.
What other lessons have we learnt in the past 12 months? A life-long lesson is that we know if you give in to bullies, they will keep coming back. The same is true for ransomware criminals. The only way they will stop is to stop paying them and work harder to shut them down. This will need the full support of the industry, governments and law enforcement around the world, but until these things happen, we will face more attacks.
The final lesson learnt is one of history and politics. Having lived and worked through the ups and downs of the global posturing and manoeuvring of nation states, combined with economic, financial and natural forces at play, it is clear that we are facing a period of global instability. And history tells us that this will inevitably manifest itself in increased state-sponsored and criminal cyber attacks.
You could say that in the last 12 months, everything has changed but nothing has changed. But our industry continues to rise to the challenge, despite continued skills shortages and a constantly changing threat landscape. The end-of-year report could read: “Performed well, but still more work to do.”