The world of Cyber Security is full of very sophisticated systems all playing their part in keeping us safe as we increasingly go online in business and our everyday lives. The level to which these are deployed depends on your cyber security strategy, budget and risk. Thousands of these systems are available with more and more on the market every day. Some have artificial intelligence, machine learning, behavioural analysis and very clever mathematical engines that are all trying to hold back the tide of threats emerging from all over the world. The source of these attacks ranges from script kiddies, organised groups, right up to Nation States.
There are many motives for these attacks ranging from money, intellectual property theft, political gain or disruption to critical national infrastructure. Developing malware and delivering successful attacks does take time and money. With this in mind what would the attacker do? Spend hours developing code or finding the new zero-day attack? No. For the vast majority of these hacking groups, they take the easiest route and pick the lowest hanging fruit.
Surely by now with Cyber Security being so much in the news and the awareness being a top priority in organisations, there can’t be much of this fruit to go around? Unfortunately, there is constant crop to harvest! Why, because we constantly fail to address the simple issues and do not take the general advice about cyber hygiene seriously. This includes critical patches that aren’t deployed fast enough or at all, default admin passwords not changed or multi-factor authentication is not prioritised, and insecure protocols are used without authentication. The list simply goes on. Cyber Security unfortunately still remains an afterthought, maybe because its perceived as being some dark art and it’s too expensive, or project timescales are too aggressive to accommodate these extra measures which in turn means best practice is not observed when delivering code and infrastructure.
Until this thought process changes, the hackers will very easily be able to exploit a vast amount of published vulnerabilities with very little effort or cost. You can consider home security as an example. We lock our doors and windows as a minimum and we put in place basic controls without even a second thought. Some of us add alarms and cameras that provide monitoring to further protect our perimeter. These are basic simple measures that offer enough protection to keep petty thieves at bay. But, why are we constantly seeing companies, products and people being the subject of attack and Cyber Crime?
It could be a lack of priority, awareness and skillset, tight budgets, over complicated infrastructures or aggressive delivery timeframes. These are valid challenges that us as humans face on a daily basis but not valid excuses for leaving your doors and windows unlocked.
Let’s get the simple stuff right, take the great advice from the NCSC, NIST, OWASP and CIS just to name a few. Let’s follow best practice Cyber Security guidelines, ensure systems are regularly patched and accounts are secure with strong passwords using Multi Factor Authentication. The Cyber Security journey can be expensive depending on your risk profile but its costs little to nothing to follow some simple steps. Even a basic level of awareness might not make the whole issue go away, but it could make the life of a hacker more difficult thereby making you a difficult target, just like having an alarm on your house makes petty thieves move on to find something much easier crack, with lesser a risk of getting caught.