The simple step you can take to protect your business against cyberattacks

There’s good news and there’s bad news. You want the bad news first, I expect: we’re not winning the war against cyber criminals.

Global organisations and even tiny one-person businesses are buying cyber security solutions and yet cybercrime is still raking in the equivalent of trillions of US dollars. Some estimate that criminal hackers will cost the legitimate world as much as $10tn a year, within the next few years.

This puts into perspective the otherwise impressive amounts businesses are supposedly spending on cyber security. Headlines report that the cyber security industry, the companies that produce products to save us, will be worth one quarter of a trillion US dollars in around four years.

Even if these numbers are overstated by a factor of ten, we’re still looking at defensive spending of $25 billion and losses to crime of $1 trillion. That’s a forty to one disparity. If this is the arms race that some analysts talk about, then there’s a clear leader. And it’s not the good guys.

And there’s more bad news…

Cyber safety is not all about buying products: careful, intelligent planning can go a long way to protecting organisations. Unfortunately, the bad news continues. Large percentages of companies in the western world simply aren’t paying attention to the cybercrime threat. It’s probably safe to assume the same or worse for less well-resourced countries.

This situation is nearly unbelievable. We live in a world where not a month passes without a major organisation suffering public humiliation and probably vast losses at the hands of ransomware gangs. In the space of a few days in January, the UK’s postal service suffered a ransomware attack that prevented it from sending parcels overseas. A major Norwegian shipping company lost communication with 1,000 container ships. And Taco Bell shut down systems (and a load of restaurants) following a ransomware attack. These aren’t isolated incidents. Just the very latest ones in a regular rollcall of similar events.

So the bad news, in short, is that despite some companies spending huge amounts on security, too few are paying proper attention.

Turning bad into good

In a way, though, that’s the good news too. We can fix how much attention companies are paying. If you’re not yet prepared, it shouldn’t be too hard to improve and rise above the average. If 25-50% of organisations have a cyber security plan, there’s plenty of scope for improvement.

You want more good news? Planning doesn’t have to be rocket science. Even a basic plan is better than nothing.

Hackers, for it is they who are responsible for 50% of breaches today, generally follow the same process of reconnaissance, initial access, establishing a persistent foothold and then movement through the target network with the ultimate goal of stealing or damaging data (or both).

This is not news. Or if it is, it’s once again good news. It means that the hacker playbook has remained stable over the past few decades. Readers of the original and popular Hacking Exposed books, which started to appear in 1999, won’t be shocked to hear that the NSA followed exactly the same general processes for breaching systems. And it is how hackers work today. If we know what to expect, we can plan for it.

The ransomware question

I’d like to say that the move to using ransomware as a payload is relatively new but encrypting malware has been with us since the late 1980s. In some respects, ransomware has existed for 30 years. But it hit the mainstream consciousness about ten years ago and today it’s just another piece of malware released onto compromised systems. A particularly impactful type of malware, but still just code you don’t want to run on your network.

Companies that exercise good cyber hygiene are much more resilient to ransomware attacks than those who pay a bit for cyber security solutions and spend the next 364 days of the year thinking about something else.

Attackers might use basic techniques to hack into businesses, but they only do that because they don’t need to be more advanced. They are not stupid and learn constantly. As we improve our planning and shore up our defences, they will exercise greater ingenuity.

At a bare minimum, targets should make them work for their money and try not to be in the 50% of clueless organisations that are easy to breach. There is so much room for improvement. At the moment it feels less like an arms race between equals and more like bewildered sheep wandering into an abattoir.

Simon is founder and CEO of SE Labs. SE Labs aims to improve information technology security by assessing products and services designed to detect attacks, protect against intrusions or both. Sign up to its monthly newsletter and listen to its award-winning podcast, DE:CODED.