Cyber Security: Protect Your "Big Six"
We've coined a term - the "Big Six" - to encapsulate the key areas of your business that must be protected by cyber security. What are the "Big Six", how can they be protected and what happens if all six do not receive protection?
Keep reading to find out...
The Big Six are the six primary business areas that must be protected by cyber security for any business to succeed. They can be considered separately but are inter-related: an attack against one may lead to an attack against another and affect others.
The six areas are:
- Your supply chain
- Your customers
- Your staff
- Your reputation
- Your intellectual property (IP)
- Your profitability
1. Your supply chain
Your supply chain comprises the companies and components that you buy in and use in your own products. In the cyber world, this primarily means software from third parties and services from cloud companies. Attackers seek to compromise your supply chain to gain easy entry into your systems.
Two examples will illustrate. In 2019, SolarWinds was breached, and its Orion IT management software compromised.[i] During 2020, thousands of companies downloaded the software that now contained Sunburst malware.
Back in 2017, the NotPetya outbreak (effectively wiper malware masquerading as ransomware) occurred after Russian hackers compromised the MeDoc accounting software used by about 400,000 customers across Ukraine.[ii]
There are two sides to protecting yourself from supply chain attacks. First, you must monitor and ensure the security of all your suppliers, and exclude those with inadequate security. Second, you must ensure adequate authentication of any third-party authorised to access your systems. A zero-trust approach would be best.[iii]
2. Your customers
You are required by law to protect any personally identifiable information concerning your customers. Failure to do so could lead to the triple whammy of regulatory fines plus reputational damage leading to a fall in profits (three of the Big Six in one).
But it is not a simple problem with a simple solution. You can protect your customers (and yourself from regulatory compliance failings) by encrypting the data. But if you succumb to ransomware, and the attacker encrypts the customer data, that encrypted data is considered as a breach of GDPR due to loss of availability. To make matters worse, current ransomware attackers seek to steal the customer data prior to encrypting files so they can further extort the victim with threats of sensitive data exposure.
3. Your staff
An irony in modern business is that it is necessary to both protect your staff and protect yourself from your staff. You get both by instilling cyber awareness in your entire workforce and, wherever possible, by removing any chance of them making bad decisions. The latter can be achieved by technology - filtering spam and phishing, sandboxing potentially malicious URLs and blacklisting bad URLs. This is particularly important for remote workers in the emerging home/office hybrid work paradigm.
4. Your reputation
Your reputation needs to be protected at all costs – not just in the quality of your products, but in the safe buying environment you offer your customers. Solid cyber security practices are the foundation.
But most companies will be breached at some point. In many global jurisdictions, you are required by law to disclose breaches – so hoping to protect your reputation by saying nothing simply will not work. What is required is a well-established and tested crisis response plan. Honesty and transparency are urged.
SolarWinds is a good example here too. Although it received reputational damage for the breach, SolarWinds has earned plaudits for its response, which culminated in the publication in October 2021 of a detailed description of new policies and procedures including a blueprint for a more secure supply chain.[iv]
But, as with all the Big Six, there are multiple threats to your reputation and multiple methods of protecting it. Scam, spam and phishing campaigns that leverage your brand will also damage your reputation. Email protection technology such as a combination of Domain-based Message Authentication, Reporting & Conformance (DMARC[v]) and Brand Indicators for Message Identification (BIMI[vi]) will defend your brand from being misused by criminals and thus help protect your reputation.
5. Your intellectual property
Your IP is what gives you a commercial edge over your competitor. Lose your IP and you lose your advantage. It is therefore a prized target for both local – perhaps less scrupulous – competitors, and foreign governments and firms.
The theft of IP is usually characterised as espionage and is likely to attract the more advanced criminal gangs and nation-state groups. It differs from other criminal attacks by concentrating on stealth. For the ideal theft of IP, the criminal will attempt to breach the target, steal the data and leave without being detected.
Protecting IP starts with secure storage and encryption or tokenisation where possible, but should also include advanced threat detection/hunting capabilities. Deception technology is a new approach to silently hunt the silent intruders. Secret but attractive decoy files and folders are placed within your systems and quietly monitored. If anyone tries to access them, you immediately know you have attackers inside your networks.
To protect your customer information, your intellectual property from criminals and your operating software from ransomware, you should also consider microsegmentation supported by zero trust authentication to stop hackers’ lateral movement and minimise any potential damage. Your IP at the very least should be protected in this way.
6. Your profitability
If you fail to protect the first five of the Big Six, you will undoubtedly damage your profitability. But good cyber security goes beyond protecting profitability – it promotes profitability. Security that uses risk analysis and threat modelling focused on the business processes and purpose becomes a positive rather than negative part of the firm. It turns security from the function that says, ‘No, you can’t do that’, to one that says, ‘Yes, we can do that if we do it this way’.
Failing the Big Six
The Big Six are all interrelated. Failure to protect one area will have knock-on effects against the others, so they all need to be protected both individually and in harmony. A successful ransomware attack will illustrate this interdependency and also highlight the urgency. Ransomware attacks are increasing. It is estimated that one occurs somewhere every 11 seconds[vii]. You should assume that one is coming.
The attack could come via your supply chain, from a customer with weak or stolen credentials, or from your own staff opening a malicious attachment or visiting a compromised website. If you assume that sooner or later you will be breached (probably an accurate assumption), your response to the attack becomes imperative. If you have protected your customer data and intellectual property with encryption, and with zero trust microsegmentation, you will contain the attacker before serious damage can be done. If you are monitoring your network flows with AI-backed threat hunting/anomaly detection, you will understand the attack and be able to stop it and expel the attacker. If you can do all this, you will stay safe and maintain profitability.
But if you fail…The attacker gets into your network. He quietly surveys the scene and learns where his target is located and how to get there. He steals and exfiltrates your customer data. He steals and exfiltrates your IP. Then he encrypts enough of your system to make it unusable and demands a ransom for a decryption release key. If you pay the ransom, you may or may not get the decryption key. If you get the decryption key, it may or may not work. And the attacker still has your customer data and IP.
You will need to pay for forensic specialists to find out how the attacker got into your systems and to ensure he is not silently remaining there. You will need to take time to recover and rebuild your systems. You will need to contact every customer who has had personal data stolen and potentially offer free credit monitoring. If your IP has been stolen, you need to be ready for competitive products or plans. You will need help with legal fees and a crisis management company to help protect what remains of your reputation. You must brace yourself for the possibility of regulatory fines for not adequately protecting personal data – and you must accept that your profitability will be severely damaged.
At this point, it is worth noting the conclusion of a Dimensional Research study published in October 2021: “83% of companies suffer crippling business damage if they are down for 24 hours.”[viii] A successful ransomware attack will take you down for much longer than 24 hours.
Protecting the Big Six is a Big Ask – especially for SMBs. The cost of the required security tools, the effort required for user awareness training, the complexity of understanding and implementing risk-based threat modelling, and the almost impossible task of finding and affording staff able to implement and run the systems makes it very difficult.
There is, however, a ready-made solution – the use of a managed security service provider (MSSP). MSSPs, such as CyberGuard Technologies, already have expert staff and a detailed knowledge of the best security products and security policies. They understand the threat of ransomware and supply chains, and the requirements of regulatory compliance. A good MSSP will quickly understand the business priorities of your firm and, through risk analysis, ensure that your security posture both defends and promotes your business.
An MSSP can provide protection for your Big Six faster, more efficiently and at a lower cost than an SMB can do alone.
Get your Big Six protected by CyberGuard
Start the conversation about the best ways to protect your Big Six by dropping us a line with your contact details. One of our friendly, knowledable team will be in touch right away.Make an enquiry