Prioritising cyber security: What was secure yesterday may not be secure today

Tim Rawlins
Tim Rawlins

Senior Advisor to NCC Group

After 18 months of uncertainty and change, many business leaders are taking stock, looking back at lessons learnt and making plans for the future. Whether you are accelerating digital transformation strategies or aiming for a return to business as normal, cyber security should be your priority.

Pay off cyber debt

Indeed, some businesses will find they have a cyber debt that needs paying back, before being able to really maximise their potential going forward. Cyber debt, or security debt, is the accumulation of vulnerabilities over time that weakens the ability to withstand attacks and operational resilience. It accrues when IT teams have other things that need their attention – the sudden shift to remote working during the pandemic, for instance – and as a result of a skills gap and cost-cutting measures. 
Having fewer security experts, with less time to focus on everyday risk monitoring, can create a backlog. Some of our customers tell us that they run security scans simply in order to meet compliance obligations, but don’t look at the results; they don’t have the resources or skillset. Others come to us when they’ve identified an attack, but don’t know when it happened. 
That cyber debt builds up and, just like borrowing on a credit card, it has to be paid back some time – and it’s better to clear the balance regularly rather than just chipping away at the interest. Businesses that wipe the slate clean of cyber debt are more able to come through attacks thriving.

Get to know your IT estate – and its worth

In challenging financial periods it’s important to quantify the return on investment for cyber security. Look at how you measure ROI in other parts of your organisation and benchmark yourself against your peers and competitors – are they spending more, do they have more debt? It’s not an exact science, but blending qualitative and quantitative data can give you the figures you need. The key element is complete knowledge of your estate: what is its extent, your main priorities, and the biggest part that would cause a problem if compromised – what is your business’s crown jewels? 
Recently we discovered a legacy system on the network of one of our clients, a council in the UK: a laptop running Windows 7 (released in 2009, with support from Microsoft ending in January 2020). No-one knew it existed, it wasn’t on any equipment lists, but we tracked it down to the Facilities team and found it was being used to create ID cards. Lacking full knowledge of their estate had left the organisation vulnerable. 
When building cyber security into business continuity plans you should assume two things. Firstly, that you will be hacked at some point, even if you are a very small organisation. Secondly, that the risks are changing all the time. The bad guys are always active and what was secure yesterday may not be secure today. Your approach should be just as dynamic, with the aim of reducing that risk all the time. Apply a risk lens and work out how you’d deliver if your security were breached.

Implement key security steps

So how can businesses protect themselves? Firstly, implement robust authentication methods across the entire estate to stop commoditised attacks. Then, look at your back-ups and where your business’s essential data is stored. Make sure you have offline copies; automatic online back-up is convenient but can be hacked. Cloud storage essentially parks your data on someone else’s computer, but that doesn’t shift the responsibility for its security. 
Next, look at your supply chain. We learnt during the pandemic that just-in-time delivery depends on very long supply chains which, if broken, leave businesses vulnerable. It’s the same with software, so make sure you can rely on each supplier. Finally, be prepared. Map your estate and continue monitoring it so you know if and when vulnerabilities emerge and hacks occur. Consider a discovery service and regular vulnerability assessments by an expert third party if you lack the resources or skillset in house. The bad guys are always working, but so are the good ones. 
It’s also important to ensure secure processes are in place to manage the addition of a new solution, such as devices for print and document management, to your existing infrastructure. IT systems are changing constantly, as new assets are connected to the network and new software patches are introduced, so implementation should include a vulnerability assessment to ensure you don’t leave yourself exposed to any malicious agents.

Focus on long-term security

The pandemic has switched on or stepped up digital transformation for many organisations. Many have adopted a hybrid working model, where people work across locations including from home and the company office. Others have shifted to the cloud, not only to facilitate remote working but to simplify data storage and access. 
Security will not just support these, and other, digital transformation strategies, but enable them. Understand your current position and decide where you want to go. Build security into your timeline and budget from day one and make it an ongoing priority.
Threats change every day, especially during unprecedented global events. This means cyber security isn’t a one-off investment or a nice-to-have: it’s an integral part of strategy for successful businesses – more so now than ever before.