We use cookies to ensure our website operates correctly and to monitor visits to our site. This helps us to improve the way our website works, ensuring that users easily find what they are looking for. To allow us to keep doing this, click 'Accept All Cookies'. Alternatively, you can personalise your cookie settings.

Accept All Cookies Personalise settings

Blogs

No Excuse for Failure: Why the pandemic can't be the reason you have a security breach

15/03/2021

James Mason – Enterprise Cyber

Regardless of size and sector, all organisations share similar objectives when considering their cyber security posture and maturity in relation to business risk.

  • Reduce the chance of breaches/incidents.
  • Avoid that “really bad day”.
  • Keep intellectual property, systems and data secure.
  • Reduce the risk of reputational damage, possible financial loss, loss of business and likely associated fines.
  • Promote a secure organisation to both their staff and their customers.
  • Help bring growth as a trusted organisation to work with.

Whether you work in a top tier bank, a small business or government department, many of these will resonate.

I’ve been working across the spectrum of organisation size, from FTSE 100 companies to 10-person Investment Management firms, for a number of years. I’ve seen information security approaches evolve and shift over this time, generally for the better. The current pandemic has driven significant change as organisations have adapted to new ways of working.

QinetiQ’s Security Health Check (SHC) team have continued to perform security testing for our customers during the current crisis. Fortunately, many of our clients are very mature in their approach to security, as you would expect in critical sectors such as finance, legal, critical national infrastructure, defence and government. Once most organisations were up and running with new ways of working, testing schedules had often suffered disruption. We helped clients get back on track where they had experienced delays using a flexible and collaborative partnership approach. We rapidly adapted our technical delivery methods with some clients too as mentioned in our previous blog (Testing during COVID-19 and beyond blog link).

On the flip side, I’ve also worked with companies who have really struggled as a consequence of the enforced changes where furloughing, redundancies and major budget cuts caused severe delays to their security testing. Of course, all of these issues are more pressing, but some clients who have an annual security assessment are now a year overdue. This means that it has now been two years since some organisations had their last independent security assessment. This is not a good place to be, and I’ve received comments from senior, board-level managers such as:

“How can we be seen to be spending money on security testing when 50% of our staff are furloughed?”

“If we accept this risk and suffer a breach, the pandemic will be our justification.”

Challenges and ways of thinking like this are understandable during such an unprecedented time. I’m pleased to say that after further discussions, to the point of lively debates, many clients have changed their position.

Whilst such problems are very real, they illustrate a new level of risk acceptance that will quickly turn into a matter of when their organisation gets breached, not if.  This is obviously a very dangerous phase to be at for any business, (especially now 12+ months through COVID) for their own staff and customers and especially their senior management – CISO, CEO, etc.

Prior to COVID I’ve also been met with statements from smaller businesses that:

“We’re too small to be a target ourselves.”

“We have very little budget for security testing”

“Our internet presence/functionality is so minimal, that our risk is really low.”

So how did QinetiQ help these clients rapidly increase their security postures and digital resilience?

An interesting engagement springs to mind with a London-based investment management firm. Their CISO fed back the 3x above statements during a face to face meeting and he mentioned that “It’s the top tier banks who are the targets.”

We then covered things such as how interesting their website, which proudly states they “manage billions of dollars on behalf of their clients” would be to a real-world attacker and how that sentence alone could make them a risk. We also covered the ever-increasing supply chain attacks, where attackers target smaller organisations as a direct and trusted route into larger organisations such as top tier banks with the aim of bypassing their high levels of security.

Finally this organisation only had approximately 10 members of staff with little internet presence or functionality so, with such a small footprint, the CISO felt comfortably in control of his staff and environment , even though they carried the same key risks as a much larger organisation. It also transpired that due to these beliefs there had been very little in the way of independent security testing – a precarious position for an organisation that manages billions of dollars of investor’s money.

While working closely with the CISO it became apparent that not all of our services would be relevant at this stage and wouldn’t provide value for money for such an organisation. A remote breach would be the most likely based on the size of the organisation so we mutually agreed that a Cyber Intrusion Exercise (CIE) would be the preferred approach.The CIE would simulate the most likely remote attack methods, evidencing and demonstrating what the organisations “really bad day” could actually look like and what could actually be achieved.

The Cyber Intrusion Exercise is delivered quickly and efficiently at the cost of a medium sized pen test over 3 main phases:

  • Internet based assessment (the organisations online presence and footprint).
  • Stand-off simulated attacks.
  • Onsite and egress assessment.

The exercise gave the senior management, board and investors a clear end to end narrative of what could realistically be achieved by a real-world nefarious, threat actor.  This was very impactful for a company that had been comfortable with their approach and their perceived level of security posture.

At QinetiQ, we are not in the habit of just delivering bad news and full technical reports. Our reports contain what we looked at, how we did it, the criticality ratings, the exploits that were successful, ease of exploits, the list goes on. Recommendations are also provided that can be quickly actioned, significantly improving the security posture from a single CIE engagement. The feedback was that, as well as an educational piece, the client felt they had received great value for money and an (evidence based) higher level of assurance that they simply hadn’t received before.

Whereas the main example here is for a very small organisation, CIE’s also provide value to much larger organisations too by giving the more holistic view and with remediation potentially rolled out company-wide, which can increase security postures globally.

Another key difference with this type of engagement is we find that when we run a future CIE, the improvements are very evident on the next engagement.  We also work with clients who proactively run CIE’s alongside their annual mandated penetration test. This approach provides much more resilient organisations which may make an attacker move on to their next, easier target…

If any of this blog resonates please don’t hesitate to contact us today and join us for our webinar “How to fast-track your enterprises’ cyber resilience smartly and on a budget” on Friday 26th March @ 11am, register here.