Paradyn’s methodology uses a traffic-light system to explain to the business how vulnerable it is to cyber attacks
Organisations today are increasingly aware of the threat from cyber criminals. How they respond to it, however, is changing, with a growing emphasis on risk management.
As IT has grown to become central to the operations of every organisation a threat has grown with it: not only are cyber attacks increasingly common, in today’s hyper-connected world, the consequences of a successful one are worse than ever. In response to this, ever more sophisticated security solutions are being deployed, including the use of active threat hunting and artificial intelligence.
Beyond the technology there has also been a wider transformation. Increasingly businesses are looking to assess their readiness from the perspective of managing risk – and turning to specialist managed service providers to assess the risks to which they are exposed in order to prepare for them.
Of course, risk cannot be measured if the IT estate itself is not understood, so making sense of what systems an organisation uses is an essential first step.
“What we do is gap analysis, CIS and NIST, analysing the business from an IT perspective,” Fergal Meehan, head of government relations at managed security specialists Paradyn, said.
Paradyn’s methodology uses a traffic-light system to explain to the business how vulnerable it is, and where its weaknesses lie.
“If there’s something like a phone system, for instance, it will be a red, amber or green, and we then ascertain what the risk is to the business if it is amber or red. That’s very important for explaining it to management,” he said.
Working with public sector clients, Meehan found these organisations were leaning more than ever into taking security seriously and were now ahead of some areas of the private sector.
“Procurement can be an issue. Public bodies tend to know what they want, but the procurement process can be difficult,” he said.
“Certainly, we’ve seen a lot of growth in awareness of security.”
First and last line of defence
With IT security, the mantra has long been that attacks are not so much a case of ‘if’ as of ‘when’. With that in mind, information security itself, important as it is, is not the only method of managing and mitigating risk.
Meehan said that alongside traditional security measures, any serious risk mitigation strategy will take backups very seriously indeed as getting an organisation back up and running after a problem or breach is one of the most crucial tasks.
“A lot of the time it comes down to backups. You can have all of the systems and hardware in place, but at the end of the day the key defence is the backup,” he said.
This does not mean that security is less important, and Meehan advocates a ‘zero trust’ model that starts at the device. It is a case of acknowledging the reality of the growing threat and ever-widening attack surface.
“There is no such thing as being risk free, so what’s the next best thing? Well, to have good, good backups. Ransomware is one of the best-known threats
Backups themselves can be, and often are, a target too, and so they need to be unalterable. If they are not, then attackers can encrypt them meaning a business will not be able to get up and running again after an attack.
“[We do] off-site backups, which links into the space around disaster recovery. We airgap the backups, creating immutability. This means you have a read-only version of the backups, so they themselves are protected from the threat of ransomware,” he said.
Working with a managed service provider, businesses can set recovery time objectives and recovery point objectives, as well as a comprehensive service level agreement. After this, however, they should not just sit back and relax. In order to ensure that they actually work when they are called upon, back-ups need to be tested.
“It’s important that you do your tests, and if you don’t have the expertise in house your service provider can do it for you. You do get customers who prefer to do it themselves as it means they don’t have their eggs in one basket: they have the backup as a managed service but they do their own testing in-house,” Meehan said.
Of course, one reason to have a managed service provider perform regular testing might be because an organisation has no internal IT team. Another, however, might be that the IT team is already overworked just keeping the lights on, and this is precisely when the risk of a breach will be at its highest.
“Even those that have IT departments are so stretched these days, particularly with cybersecurity,” Meehan said.