In late August, the UK government introduced new cybersecurity rules aimed at protecting telecommunication networks against cyber attacks. The rules, which allow the government to boost the security standards of the UK’s mobile and broadband networks, come at a time when attacks on critical infrastructure are becoming more frequent and more dangerous.
Earlier this year, for example, Costa Rica was thrown into crisis after a ransomware attack affected 30 government institutions, including critical ministries and its social security fund. The group behind the attack, known as Conti, threatened to overthrow the government unless the US$10 million ransom was paid. With the help of international partners – including the United States, Israel, Spain, and Microsoft – it was able to get all its systems back online, but it took weeks. Montenegro, meanwhile, also saw critical digital infrastructure crippled following a cyber attack blamed on state-sponsored actors. The attack effectively sent some government departments back to the analogue era and was still being wrestled with more than three weeks after it was first detected.
While the new UK government rules may provide a little extra protection against such attacks, they don’t mean that private businesses should take their foot off the pedal. Far from it. Instead, they should redouble their efforts and ensure that they have sound vulnerability management practices in place. In particular, they need to focus on ensuring that their business-critical applications are as well-protected as possible.
Costly, crippling breaches
Before digging into what those practices should ideally look like, it’s worth emphasising just how big an impact a cyber attack can have on a business.
Today, the average cost of a data breach in the UK is US$4.35 million, up 12% from US$3.86 million in 2020. But fiduciary costs aren’t the only ones that organisations have to deal with when it comes to breaches. They can also cause serious reputational damage, wording customer trust in the organisation.
Perhaps most worrying, however, is what happens when an organisation’s business-critical applications get hit. In those instances, a business might find itself unable to operate at all. That’s especially concerning when you bear in mind that many business-critical applications contain major, undetected vulnerabilities. Most of these applications come from third-party software as a service (SaaS) providers, increasing an organisation’s exposure and expanding its attack surface. The profound impact this has had can be seen in a 2021 report, which found that 70% of organisations’ application portfolios had become more vulnerable in the previous year.
It’s clear then that organisations need to go above and beyond the defence-in-depth security model on which they’ve traditionally relied.
Vulnerability management becomes critical
While it’s still absolutely critical that organisations practice defence-in-depth, it’s also important that they engage in thorough vulnerability management.
Vulnerability management is a continuous cybersecurity process that includes identifying, evaluating, treating, and reporting software and network vulnerabilities. Properly monitoring and responding to pressing, complex issues are essential components of vulnerability management and information security as a whole. The best place to start when it comes to vulnerability management is being able to identify and address known vulnerabilities. Cybercriminals are constantly looking for ways into an organisation and failing to address vulnerabilities is tantamount to leaving a door or window open for them.
Once a vulnerability is identified it’s also critical that organisations build and release patches as quickly as possible. In an ideal world, that would be a given but it’s not. Research shows that as many as 87% of enterprises have experienced an attempted exploit of an existing or known vulnerability. Here, technology can help too. A good vulnerability management system can help organisations automatically identify missing patches, hidden assets, misconfigurations, and authorisation issues within their IT ecosystem.
The right response plan
Even with all those defences in place, however, no organisation can guarantee that it won’t fall victim to cybercrime. As such, they should also have a comprehensive incident response plan in place.
This plan should place special emphasis on attacks against business-critical applications. As such, the organisation should also have a full overview of the IT landscape and that it has a complete record of all applications, users, and data that exist within. The organisation should additionally play out “what if” scenarios that prepare IT teams for as many kinds of attacks as possible. In this area, documented playbooks can be very helpful to react appropriately to certain expected scenarios.
No resting on laurels
It should be clear then that organisations cannot trust that improved cybersecurity rules and regulations will keep them safe. Instead, they need to take them as a clear signal that the threat landscape is evolving rapidly and that they need to bolster their own defences and response plans.
Because if cybercriminals are able to cripple entire countries, there’s nothing stopping them from doing the same to organisations of all sizes.