Ransomware is not going away. According to Statista, 37% of organisations, globally, became a victim to a ransomware attack in 2021, and 68.5% were victimised by ransomware – an increase on the previous three years. It has also evolved. Ransomware-as-a-Service (RaaS) has become increasingly prevalent as attackers use pre-set code to gain access to infrastructure and reshape attack efficacy; and there have been more than 130 different types of ransomware discovered in the market since 2020. Companies now must find intelligent ways of reducing digital footprints across cybersecurity quicksand to ensure their environments are secure. According to Jayson O’Reilly at Atvance Intellect, the challenge is to embed simplicity into robust cyber resilience strategies so companies can effectively operationalise and measure their security postures and approaches.
“Doing the work has become harder as more departments, more infrastructure, more third parties and more silos are introduced all in the name of business transformation,” he adds. “Cybersecurity basics aren’t being practiced and this is causing breaches across the public and private sector. The perception created is that it’s complicated, convoluted, and often pointless – risk enters the organisation despite robust systems and endless training.” In many cases simple processes can be implemented to defend against entities against the most complex of cyber-attack.
To overcome this perception – a critical move in a world mired in security threats that are simply not going to stop because the business has given up – there are key steps that companies can follow to mitigate risk, enhance posture, and stay ahead of the threats.
“The first step is to ask how to enable the business through cyber-resilience risk strategies,” says O’Reilly. “How can cyber resilience become a priority for the business? How can cyber resilience become a critical business enabler? Because the business doesn’t talk in ones and zeroes, it talks in solutions and strategies and in tangible realities. If the business cannot see the problem or quantify the challenge it cannot solve it.”
If the business doesn’t know what the problem is, or how to protect against it, then it won’t take the required actions to protect data and systems from attack. So, cyber resilience needs to stand beside strategy within the boardroom to ensure that the entire risk conversation takes place using language that decision makers understand. Language that underscores the importance of a healthy security stance within the framework of strategy, sustainability and success.
“There are so many more moving parts than ever before,” adds O’Reilly. “We’ve worked from home, we’re moving back into the office, or we’re taking on a hybrid approach. And every one of these working frameworks introduces its own set of risks. Now, both the employee and the business are trying to fight against automated attacks and syndication and the commercialisation of cybercrime. However, this doesn’t mean that the end-user must shoulder the cybercrime burden, it means that companies need to adopt a more integrated approach.” Embedding prevention is core to the success of the overall cyber resilience business strategy.
“Companies are forgetting to test or run simulations against their systems. They’re not running disarmament, demobilisation and reintegration (DDR) programmes, they’re not checking their backups, and they’re not testing that their security processes and systems work,” says O’Reilly. “Companies can go down for weeks at a time. Critical services like power and water can go down for weeks at a time. And the question is – why did these companies not simulate attacks in their environments so they can adopt an offensive strategy. There are so many moving parts, they have to be well oiled and prepared to ensure they work cohesively.”
Often, companies spend more on technologies that cost fortunes than on the basics that embed those solutions into the fabric of the organisation. The money falls down a black hole, and security is left full of holes. To overcome these legacy challenges, companies need to create a cyber-resilience plan that has clearly mandated policies, that is compliant, and that is, most of all, simple. If it’s easy to understand, implement, use and teach, then it’s got a far greater chance of gaining traction within the organisation.
“Cyber-resilience doesn’t have to be complicated, just start with the plan and have it run for six months,” concludes O’Reilly. “You want to ensure your business can be resilient against a ransomware attack and that the right people within the organisation understand the threats. Then, measure the plan and simulate against it to ensure that it catches all the gaps and fills all the holes. By putting every person on the same simple page from the outset, the business is leagues ahead of the rest when it comes to resilient security.”
Jayson O’Reilly
