The cyber attack on TalkTalk last year is estimated to have cost the company around £60m. Despite initial claims that the attack was “sophisticated”, it transpires that it was conducted by children from their homes. Not so much sophisticated as sofa-sticated!
Blaming an attack on very capable and well-resourced attackers tries to convince customers that nothing much could have been done to prevent it from happening – it’s just one of things that you have to accept if you’re going to do business in the cyber world. We disagree – there is much that can be done with a little awareness and application.
Whilst there are always risks in any business, the most likely threats are not, as you may be led to believe, from state-sponsored attackers. They emanate from the exploitation of vulnerabilities that could be easily fixed and are perpetrated by those looking for an easy target with little cost and chance of being caught.
Basic measures can defeat the majority of basic attacks
Cyber security controls don’t need to be complex or cutting-edge to be effective. One of the most powerful measures you can introduce is a robust patching regime so that when security vulnerabilities are announced, action is taken swiftly to apply the appropriate patch. This will protect your business from any malicious code designed to exploit that specific vulnerability.
The Ascentor blog on basic security controls, first published in 2011, is still pertinent. Apply the basic controls and get huge security benefits. It’s hardly rocket science, more like a penetrating glance into the blindingly obvious.
GCHQ’s Ten Steps to Cyber Security has also proved very popular but doesn’t contain any surprises. Despite being issued in 2012, companies are still having websites defaced, being hit with denial of service attacks and having information stolen from under their noses even though we know how to prevent it from happening.
Not learning the lessons of the past
I am constantly amazed that cyber security seems to be a parallel universe where different rules apply. It reminds me of a comment from a well-known cyber security analyst who asked why planes no longer have square windows. The original designers clearly thought square windows were a good, and probably natural, choice but they soon learnt that the corners were a vulnerability – they cracked under the pressure. Ever since, we have had oval windows in our aeroplanes. The designers learnt from their mistakes and no aeroplane designer would ever dream of suggesting square windows again.
The analyst went on to ask when the last successful buffer-overflow attack was. In answer, he looked at his watch! There is one happening every second. This emphasises the point that we are not learning and fixing the vulnerabilities that we know exist.
Cheaper to prevent than fix
As your doctor will tell you, prevention is better than cure – and the same applies in the cyber world. There are many different estimates regarding how much a cyber-attack costs but there is very little information available regarding the return on investment (ROI) for putting cyber controls in place.
Seeking ROI for basic cyber controls is a thing of the past and based on the assumption that you may be investing in controls unnecessarily as you may never get attacked. You almost certainly will.
The truth is that all organisations that make use of digital technology are continually exposed to cyber-attack. How many of these attacks become successful depends on the controls you have in place to prevent them. If you want to continue to do business, then you need to invest in the right tools – and this includes tools to mitigate cyber-attacks.
When to build in cyber controls?
Building security controls into the heart of your projects will save you money by reducing the number of times a cyber-attack is successful. Remember the principles of Total Quality Management and structured software engineering? Defects found early in the process are easier and quicker to fix, and therefore cheaper to fix, than those found later. It’s a process at Ascentor that we call IA Inside – it makes perfect financial and security sense, so why not do the same for cyber controls?
There really is no excuse
If you are doing business in the cyber world today, you need to put basic security measures in place to prevent the most common cyber-attacks. Without them, you will suffer an incident that will damage your business.
You dont want to have to look back with regret and wish that you’d taken some simple steps that would have saved you a lot of disruption and cost.
There are many freely available initiatives that will help you:
- Ascentor’s guide to Cyber Essentials
- GCHQ’s Ten Steps to Cyber Security
- SANS CIS Critical Security Controls
Or download Ascentor’s Board’s Guide to Information Risk.
For further information
If you have found this article interesting, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how our consultants could advise on any aspect of cyber security, please contact Dave James at Ascentor.