By Tim Brown, VP security at SolarWinds MSP
Every year, the entire month of October is given over to Cybersecurity Awareness—a campaign dedicated to promoting information security and safer use of the internet by everyone. But is it having an effect? Are UK businesses more aware of—and better prepared for—the cyberthreats they face?
The answer is yes… and no. Businesses are increasingly aware of cybersecurity, with research from the Ponemon Institute showing a clear majority are knowledgeable when it comes to the biggest ransomware threats. But awareness isn’t being translated into action, with nearly half suffering a successful attack in the last year.
So why isn’t this awareness leading to action? And how can this be fixed?
The new cyberthreat landscape
It is common knowledge that today’s cyberthreat landscape is becoming increasingly sophisticated, with attacks resulting in bigger and longer-lasting effects. And over the past 12 months, there has been a wave of new attacks that have dominated headlines.
Along with the Vault 7 leaks, which revealed several variants of malware created by the US Central Intelligence Agency (CIA), including Year Zero, Dark Matter, Weeping Angel and HIVE, among others, there was the WannaCry ransomware attack that spread around the globe and most notably, temporarily crippled the NHS in the UK. And then there was Petya, which effected networks in multiple countries, including the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosneft. This particular ransomware hit the Ukrainian infrastructure particularly hard, disrupting utilities like power companies, airports, public transit, and the central bank.
Whether it’s down to media hype, it seems businesses are confused by the new threats that exist. According to the Ponemon Institute’s research, UK and US businesses are very aware of the Petya and WannaCry ransomwares, and believe they are at risk of attack. They aren’t as aware of the Vault 7 attacks and believe the risk of falling victim to a Vault 7 attack is a lot lower.
Yet over half of the UK and US businesses surveyed had experienced one or more of the above-mentioned cyberexploits in the past year. What is particularly surprising is that the most detected attacks were Weeping Angel and After Midnight—Vault 7 attacks that, due to their very nature, did not even pose a risk to most businesses.
Hype versus reality
While the media plays an important role in educating the industry on new threats, it has also created a lot of confusion. Let’s take the detected Weeping Angel attacks as an example. While more than a third of businesses claimed to have detected a Weeping Angel, it’s unlikely they would have been victim to this threat. Why? Because it requires having physical access to a Samsung TV and plugging a USB into it.
This means businesses need education, as well as solutions, to stay secure in the new cyberthreat landscape. For managed service providers (MSPs), this is an opportunity to help businesses take the right measures to ensure they don’t get caught up in media hype.
Taking on cybersecurity
With many businesses lacking the in-house expertise and technology to fend off new cyberthreats, MSPs have an opportunity to help businesses with security awareness—and to provide the technology, staff, and knowledge to prevent these threats from taking place.
But this doesn’t mean MSPs need to do everything for all businesses—an MSP should be able to understand the risk a business faces and educate them on this risk. For example, businesses may believe that size, location, or geography will mean it’s more vulnerable to cyberattacks. Yet these have little impact on vulnerability—the service a business provides, the products it offers, and ultimately, the data it holds, on the other hand, are the factors that determine security risk. A hospital or health service is a prime example here.
In short, while the profile of a business determines the risk, the risk determines the level of protection it needs and the services and solutions a MSP should provide. To better protect customers, MSPs should ask five key questions: What type of data do they hold or have access to? How complex is their business? Whom do they share data with? What would be the effect of a breach or compromise? What larger infrastructures/networks are they connected to? These “crown jewels” are all things cybercriminals will aim to exploit. MSPs can help their customers prepare and defend against threats by focusing on good cyberhygiene that takes all of these critical factors into account.
The path to becoming managed security service providers (MSSPs)
Whether it’s focusing on good cyberhygiene, or advanced offerings like VCSO, penetration testing, and 24/7 monitoring, there is an opportunity in front of MSPs to take on an advisor role, covering risk management, education, business, and security. If MSPs can quickly adapt to the changing cyberthreat landscape, take on cybersecurity, and get on the path to becoming MSSPs, not only will they become an indispensable partner, they will be sure to outrun the competition.