This is an excerpt from a presentation on cybersecurity that I gave in July 2024 to a community of entrepreneurs in the SME space in Australia, titled "Cybersecurity for small and medium sized businesses in the age of AI - Risks, Trends and Opportunities".
The ubquity of the problem and the solution
On Friday 19th July 2024, the world came to standstill as a 'minor' version update to a dominant (but little known outside the world of cybersecurity) endpoint security software led to a meltdown of Windows based PCs, Servers and Cloud infrastructure alike. The lesson learned was less about cyberthreat prevention, and more about the prevalence of software from one vendor in operation in this space, and the single point of failure that results from it.
So what is cybersecurity and what can a smaller organisation that may not have a dedicated team looking after this problem do about it?
The size of the problem
From the UK experience in 2023, it is clear that the problem has high penetration across multiple industries, and businesses of all sizes (source: independent.co.uk).
And while the UK has the highest cybercrime density of victims per 1M users, the numbers for the top 10 affected countries is alarming:
Cybercrime, measured as a country, would be the 3rd largest economy in the world.
Why is cybercrime this big?
The Motive
Personal Financial Gain
Cybercrime has become a booming industry, with stolen data and disrupted operations translating to significant financial rewards. Cybercriminals may target individuals for credit card information or banking details, or they may launch large-scale attacks against businesses to steal customer data or extort them with ransomware. This stolen data can be sold on the black market, used for identity theft, or leveraged for fraudulent transactions. Disrupted operations or the threat of blackmail, on the other hand, can force businesses to pay hefty ransoms to regain control of their systems or avoid brand damage.
Industrial and State Espionage
State actors and corporations often engage in cyber espionage to steal sensitive information from competitors or governments. This stolen information can be used to gain a competitive advantage in the marketplace, develop new technologies, or gain insight into political strategies. Targets of such attacks may include intellectual property, confidential business plans, government secrets, and classified military information.
Political Reasons
Hacktivists, individuals or groups who use hacking techniques for political or social activism, may launch cyber attacks to disrupt operations or make a statement. Their targets may range from government websites to financial institutions, and their motives can be anything from protesting perceived injustices to advocating for political change. They may deface websites, launch DDoS attacks to cripple online services, or leak sensitive information to raise awareness for their cause.
Personal Vendetta
Disgruntled employees or individuals with personal vendettas may launch cyber attacks as a form of revenge. They may target former employers, competitors, or individuals they perceive to have wronged them. These attacks can range from simple vandalism to sophisticated data breaches, motivated by anger or a desire to cause harm.
Cyber Terrorism
In extreme cases, cyber attacks may be used as a form of sabotage or warfare. Nation-states may target critical infrastructure, such as power grids, transportation systems, or communication networks, to cripple an enemy’s economy or military capabilities. This can have devastating consequences, causing widespread outages, disrupting essential services, and even leading to loss of life.
The Impact
The variety of victims, the strategies employed, the frequency of attacks and the degree of disruption continue to rise exponentially.
Cyberattacks, like biological viruses, never sleep. The global nature of the source of these threats and the continuous nature of the connectivity of our mobile and computer devices mean that threat actors are constantly scouring the net looking for vulnerabilities. And given the higher payout from malevolent activity over benevolent ones, the result is similar to what we experience from biological viruses.
And when there is a breach in the defences, the threat may lie dormant or invisible for a long time before it is discovered.
Attacks of the ransomware variety are becoming more and more costly, and are projected to scale more than 10x over the next decade.
How an attack works - The Basics
Malware
Malware is the most traditional means of inserting a piece of software that has malicious intent within a system, whose roots can be traced back to the computer viruse of the 90's. Malicious software, such as viruses, worms, trojan horses, and ransomware, can infect devices and steal data, disrupt operations, or hold systems hostage for ransom.
Social Engineering
Exploiting human psychology to manipulate victims into compromising security measures. This can involve impersonating a trusted source, creating a sense of urgency, or leveraging fear tactics. Phishing is a special case of social engineering, which are deceptive emails or messages that trick victims into revealing personal information or clicking on malicious links that download malware. The evolution of social engineering techniques coincided with the growth of social media platforms, the increasing ubiquity and connectivity of devices and social norms within this context that encourage casual exchange of information.
Denial-of-Service (DoS) Attacks:
Overwhelming a target system with traffic, rendering it inaccessible to legitimate users. An amusing (or not so amusing if you are the North Korean Government) example of this was covered in a news story on Wired in 2022, and later covered on Substack - Pragmatic Engineer. This example demonstrate the ease with which a DDOS attack can be carried out with limited resources, necessitating mitigating architectural patterns.
Man-in-the-middle-attacks (MitM)
Intercepting communication between parties to steal data or alter messages.
Zero-day Attacks
Exploiting vulnerabilities in software before a patch is available, making them particularly dangerous.
SQL Injection
Injecting malicious code into a SQL database to steal or manipulate data.
Ransomware Attack
This is less about the method of attack, and more to do with the motive. Once an intruder has gained access to the system using one of the methods described above, the attack takes the form of either:
Encrypting the data and locking all users out of the system, rendering the business unable to serve its customers, and / or
Sensitive data is dowloaded (stolen) from the victim's system.
The victim is then blackmailed to hand over ransom money, in exchange for unlocking access to the system, or the promise of not compromising sensitive information over the internet, thereby destroying trust and brand value.
A 3rd variant is the stealing of sensitive, high value data, with the intent of selling it over the web (or dark web).
Cyber Defence
Initial steps
While a more considered plan starting with a cyber risk assessment is recommended for businesses, these simple steps are still the most effective initially to secure endpoint devices (computers and mobile phones).
Budget for a progressive strategy
The percentage of total IT spending on cybersecurity will vary widely due to the following factors:
Industry and company size
Compliance and other mandates that affect your business
The sensitivity of the data you collect, use and share
Requests from company stakeholders or customers
Take the average spend over the worldwide business population as a starting point:
For example, if a company pays $3,000 monthly to an IT managed service provider to cover their IT needs, its cybersecurity budget would be about $360 per month. This spend will need to grow over time.
Cybersecurity spending tips:
Don't spend all at once - start small
Begin with a risk assessment and a few key improvements
Get advice from a cybersecurity provider
Identify highest priority and low cost action items first
Your cybersecurity is an ongoing initiative, not a one-time project
Get company leadership on board
Given tight budgets, the decision makers need to understand the importance
Use the risk assessment to build a business case
Holistic solutions and platforms
The key feature spaces in a holistic solution are:
Detect & Prevent
Contain & Control
Recover & Remediate
Analyse & Plan
And in each of these feature spaces, there are dominant players along with many others that provide feature rich products and services:
There is a gap in the market for an affordable, full-featured platform for small and medium sized businesses, and this is the opportunity that my company is developing.
Future prospects for the cyber security industry
Some innovations that present food for thought for the industry include securitisation, advanced simulation and 3rd party integration:
CAT Bonds:- Catastrophe bonds exist today, although not yet widely available in the cyber risk space. This type of bond will provide securitised bond coupons funded by cybersecurity insurance premiums for investors looking for exposure to cyber risk to diversify their portfolios, while providing a mechanism for businesses to transfer that risk away from their operations.
Advanced Simulation:- Advanced capabilities to model business operations and the economic environment will allow firms to project losses for more accurate risk pricing. In conjunction with an integrated framework to model the impact of changes in the control environment to projected losses, firms will be able to set their cyber resilience budget to match risk appetite and core competencies.
3rd Party Integration:- Cybersecurity platforms will increasingly provide support for integration with multiple 3rd party solutions that specialise in specific capabilities. This will lessen the burden of search for one platform to rule-all, and instead allow flexibility for firms to architect their cyber defence to match their operational environment.
Comments