Why a big budget doesn't guarantee effective cyber security

James Ward, Head of Cyber Security at MASS, says that cyber-attacks are inevitable, meaning that a focus on recovery as well as prevention is essential.

Everyone talks about cyber security; and we all think we know the golden rules. So why are multi-million-pound companies still being hacked?

The past year has seen an increase in high profile and highly damaging cyber-attacks. Most recently, T-Mobile has suffered a “highly sophisticated cyber-attack” resulting in the personal information of almost 50 million people being stolen. Many other organisations have also been subject to security breaches this year including Microsoft Exchange, CNA Financial, 20/20 Eye Care Network and DriveSure.

In each of these cases, the assumption from outsiders is that these companies would be highly advanced from a cyber protection standpoint, given that they have CISOs, SOCs, internal security teams as well as external accreditation and an understanding of the cyber threats and management of risks they face.

But even with these processes and teams in place, the question for most companies is not if they will be a victim of cybercrime, but when. In fact, the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2021 reported that four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Among those that suffered the attack, 21% of businesses and 18% of charities lost money, data or other assets.

This clearly shows that although businesses can invest significant amounts of money on security controls, strategies and polices and staff training, it will not guarantee safety from a cyber-attack. The threat landscape remains an arms race between attackers and defenders with new vulnerabilities and attack vectors exposed constantly, or worse, only exposed when it’s too late.

Lindy Cameron, chief executive of the National Cyber Security Centre — a branch of GCHQ — urged Britons to wake up to the threat from ransomware hackers. Cameron said what she found “most worrying” was not state actors, but the wider failure to manage cyber risk. If an attacker with sufficient resources, time, and skill decides to target your systems specifically, eventually they will succeed.

This is why at MASS, rather than focusing on impenetrable defenses, we believe a more realistic goal for businesses is cyber resilience. This is a fundamental shift in mindset to focus on recovery: when you are attacked, how quickly you can detect, respond, and recover? These factors will determine the level of damage and increase your chances of recovering from the incident. Resilience is key to survival.

Cyber Resilience can come in the forms of disaster recovery and business continuity planning, failover sites and networks, backups, and incident response produces. Having these in place and, importantly, regularly exercising and testing these plans, will ensure they are effective when the inevitable cyber attack happens to your organisation.

Contact MASS to find out how we can help your business be preprepared for cyber-attacks or any other disruptive incident.