In March 202, AI caught a sophisticated, highly targeted cyber-attack exploiting a zero-day vulnerability across multiple businesses. The attack was detected, investigated, and contained by the AI, and the system worked out that it was a completely novel threat. Two weeks later, this campaign was publicly attributed to a Chinese nation-state actor known as APT41. The organizations threatened by the attack included governments entities, critical infrastructure, large enterprises, but also, surprisingly, midsize businesses.
We have entered a new era of cyber threat. If it were measured as a country, cybercrime would be the world’s third-largest economy after the U.S. and China. Midsize businesses are often considered a soft underbelly for cybercriminals. A common misconception exists among cybercriminals that midsize businesses do too little to strengthen their cybersecurity, which makes them an appealing target. As in the case of APT41, they are often targeted as a thoroughfare to higher-value targets, critical systems, and highly classified information. Most are planning to make, or have already begun making, the sweeping, technology-driven organizational changes that define a digital transformation, and a growing majority say these adjustments will soon be essential to their competitiveness.
But the cyber challenge faced by midsize businesses is multi-faceted. They are indeed under-resourced and are particularly affected by a global cyber-skills shortage. Small, or non-existent, security teams are tasked with defending the business from the full range of cyber threats — from sophisticated, novel, and targeted campaigns to very fast moving smash-and-grab attacks — while managing an increasingly distributed workforce and complex digital infrastructure. The challenge extends beyond adequate resources — the threats these organizations face are too fast or too stealthy for humans to contend with and the number of new avenues for hackers to gain entry is growing at a rate too rapid for security teams to monitor.
We Cannot Stop Breaches
The recent Colonial Pipeline attack demonstrated the damaging ripple effect of heavy-handed actions taken to curb ransomware. To contain the breach, operators shut down 5,500 miles of pipeline, which carries 45% of the east coast’s fuel supplies. The incident came shortly after a ransomware attack at Scripps Health, a major healthcare system in San Diego, which led to the suspension of access to its online patient portal and website. Scripps’ network was not fully operational for weeks after the event.
This kind of disruption is intolerable for midsize businesses. Not only is it potentially damaging to customer relationships and to the wider reputation of the organization, but the cost can be enormous. In the case of ransomware attacks, the cost of recovery from a shut-down is often 10 times the amount demanded in ransom by the attackers.
Traditional security solutions try to stop attackers from penetrating the system by identifying threats based on historical attacks. They categorize known attacks as “bad” and guard against them on this basis — commonly known as the “rules and signatures” approach. However, what we’ve learned over the last decade is that simply trying to stop attackers getting onto systems is futile — that’s only going to work for low-level attacks. It doesn’t work for the advanced attacks that these businesses now face.
Instead, business leaders must contain attacks quickly and minimize disruption so that the organization isn’t negatively impacted. Accepting that attacks will get in is not accepting failure. It is the reality of being a mobile, global, and interconnected business.
Once midsize businesses accept that their systems are likely to be penetrated, they should employ the following strategies for how to effectively respond.
Monitor and Target: Once an attacker has gained a foothold within an organization, it is vital that the security team continuously monitor abnormal behavior to detect the breadcrumbs of emerging attacks. There is always a period when the attacker has an initial foothold and is working out what move to make next; this period can be used to a business’ advantage.
Always Expect a Breach: Companies should test their existing capabilities and have a plan-of-action for when the worst happens. They should consistently monitor whether existing mechanisms give enough warning and are able to hold threats at bay long enough for the company to act. How early in the attack is the security team alerted? Do defenses slow the attacker, giving the team the opportunity to counterattack? Segregating networks will make it difficult for the attacker to move laterally at pace.
Create a Culture of Security: Business leaders should be vocal about the importance of cyber security across the organization, and all departments should know that cyber security is relevant to them. The Board should be briefed regularly on cyber security and security providers should be involved in this process. Ideally, the CISO should be part of the top management team. If not, key personnel within the security team should give regular briefings to the management team on how the business is responding to cyber threats.
Scrutinize Your Supply Chain: Attackers are turning to suppliers or smaller third-party vendors to find vulnerabilities and get into the heart of critical systems. We need only look back to the SolarWinds attack to see the damage that can unfold. Suppliers’ vulnerabilities are everyone’s vulnerabilities. How robust is the supplier’s security? Do they have external certifications that verify they take security seriously?
When it comes to cyber — we must accept vulnerability, but we can no longer tolerate victimhood. The only way to eliminate risk entirely is to unplug your business from the internet. With the right technology, cyberattacks should be caught many times over before they get anywhere near encrypting files and extorting business leaders. Midsize businesses must opt for a sophisticated cyber defense while understanding that the “way in” for attackers is never static — it varies as vulnerabilities shift and techniques evolve – and they should embrace the technologies that intervene to stop encroaching attacks.