Curtis Simpson, CISO at Armis explores the rising cyber threats to UK organisations and the need to improve attack surface management before it’s too late.
Much like Shakespeare’s final play, which begins with the spectacle of a storm-tossed ship at sea, UK organisations have also found themselves engulfed in a tumultuous cybersecurity tempest.
At the eye of the storm is a paradox that highlights the challenges of the digital age. As organisations embrace technological advancements, they inadvertently open themselves up to an ever-growing array of cyber threats.
With each new asset or system introduced, the attack surface expands. Coupled with the fact that the cyber landscape is always changing, becoming more sophisticated by the minute, organisations are struggling to keep up. The tempestuous waters of these cyber threats are raging against the sides of the ship.
Yet, as new vulnerabilities emerge, one constant remains – employees are commonly still the weakest link in the cybersecurity chain. In fact, 67% of employees are downloading software and applications without the prior consent or knowledge of IT or security teams.
This is nothing new. IT and security teams have known about the perils of employee behaviour for years. So why is it still creating problems? And how can organisations now weather the storm before it’s too late?
The eye of the storm
There are five fundamental obstacles preventing organisations from truly managing their evolving attack surface. These include scale, a lack of visibility, absence of policy enforcement, human effort and an increasingly complex regulatory environment.
First of all, the scale of an organisation’s attack surface makes it difficult to monitor for and mitigate threats. On any given business day, an average of around 45,000 assets are connected to an organisations’ networks. These assets present organisations with a whack-a-mole style dilemma, which sees them tackling a threat in one network area only to find another emerging simultaneously elsewhere.
Next, there’s a drastic lack of visibility. The sheer volume of assets, combined with siloed legacy technology, means organisations lack complete network visibility. In fact, more than a third (39%) of UK IT decision-makers noted a lack of complete visibility over company-owned assets connected to the business environment.
This lack of visibility and management does not stop with devices. Human error plays a big role in hindering attack surface management. Whether it’s through the assets they introduce into a network or how they handle existing devices and processes, employees pose a major risk to their employers. Yet, little has been done to equip them with the knowledge to act in a continually secure manner.
Beyond training, there’s a severe scarcity of policy enforcement. As it stands, only one in two (51%) of organisations have a Bring Your Own Device (BYOD) policy for all employees. A BYOD policy establishes guidelines on how employees use their own devices within the business environment, such as phones and laptops with access to the corporate network and data. Overall, 69% of UK IT decision-makers agree their organisation needs better policies and procedures to deal with security vulnerabilities.
Although the majority of organisations understand the necessity of these changes, a paralleled optimism at actioning them is nowhere to be seen. The complex regulatory landscape has halted many organisations in their tracks. In fact, 39% of IT leaders admit to feeling challenged by the UK’s increasingly complicated regulations and governance requirements.
For example, 2023 saw the second iteration of the Network and Information and Security (NIS2) directive launch, which modernises the existing legal framework governing cybersecurity standards in the EU. Yet, those UK businesses that operate within it are also bound to the directive, while also being tied to other UK regulations.
Before, organisations received a fine following a breach. Now, this new directive rules entities will be fined based on failing to meet new basic security regulations, regardless of whether there’s a breach or not.
Weathering the attack surface
As it stands, existing legacy technologies and processes aren’t fit for purpose. In a world of ever-increasing connectivity, there’s no space for an isolated approach to security. Often it can result in a complex, fragmented landscape, with neither complete visibility nor a single source or trusted piece of information that can lead to human errors or inaccurate data.
Now, organisations must shift away from what they have known and embrace a new approach. But, where to start?
First and foremost, visibility and management. You cannot protect what you cannot see. Organisations can safeguard their environment by ensuring comprehensive asset visibility across all devices, whether managed or unmanaged. This approach allows them to discern the entire attack surface and take proactive measures in asset security management. By consolidating data from various sources, essential network insights can be derived, aiding in the detection of breaches and anomalous behaviours.
Truthfully, organisations cannot eliminate all potential risks or mitigate all attacks. But prioritisation and subsequent monitoring can put them on the right path. It can identify, analyse, evaluate and address threats, which are then prioritised based on the potential impact and level of exploitation risk.
But, with dwindling security budgets and 50% of all UK businesses reporting a basic cybersecurity skills gap, and a further 33% experiencing this at an advanced level, how can workforces reach the necessary levels of security?
In light of financial and workforce limitations, introducing automation can bridge this skills gap, as well as manage security posture. With 51% of cybersecurity teams feeling overwhelmed by the volume of threat information they currently receive, implementing automation can provide real-time threat response without requiring human intervention.
Battening down the security hatches
Organisations face constant cyber threats, and the growing attack landscape provides numerous entry points for attackers, be it through assets directly connected to the network like IP cameras or printers, or via third-party providers.
By focusing on strict policy enforcement, employee security training and truly understanding the attack surface through asset visibility, prioritisation, monitoring and automation, organisations can embed a holistic security approach as opposed to a siloed security approach.
These factors will ensure organisations are creating a fit-for-purpose strategy, which actively embeds insider risk and employee support at its core. In doing so, organisations can batten down the security hatches and navigate the tempestuous waters of the cybersecurity storm.
