It was Dave Stutman who coined the phrase that “complacency is the enemy of success” and in few areas is this quite as applicable as it is in the cyber security space. With so many cyberattacks making the headlines, it can be easy to become numb to the crushing impact that they have on businesses and individuals as they seek to recuperate stolen or encrypted data.
Not that Matt Lock (pictured), technical director of data security firm Varonis, and his team are likely to become blasé about this any time soon as they work closely with impacted firms and see for themselves the stress such attacks cause. Cyber incidents can be absolutely devastating to organisations, he said, and the pressure that teams are under to get the lights back on and everything secured goes all the way to the board.
Read more: Ransomware group marks software provider
“These are really fundamental questions that you would have thought would be quite easy to answer,” he said, “such as - where’s our sensitive data located? Who’s got access to it? Who’s using it that shouldn’t be using it? What should we have deleted years ago? That’s at the foundation of what we do… and [with that information] we can look at a business’s activity and spot deviations, or where activity looks more automated than human.”
Lock noted that it used to be the case that discussions on data security were largely dismissed, as organisations would instead focus on putting up firewalls and installing the latest AV technologies. However, numerous high profile incidents over the past five to six years have raised this issue on the agendas of senior leaders as they have seen the impact that an internal vulnerability can have when a business’s perimeter is breached.
“Once that perimeter is breached, then it’s pretty much carte blanche in terms of what attackers can do,” he said, “because [organisations] tend to have very reduced and lax security internally. And that’s for two reasons. One because it’s really hard to do, and two because it has the potential to impact productivity. And security is already seen as the ‘bad guy’ that gets in the way of everything.”
Looking at how the market has shifted, Lock highlighted a key market change that is helping to re-shape that narrative – the move from opportunistic ransomware attacks to targeted attacks. Insurance companies are at the frontline of this shift, he said, which a member of the hacking group REvil made clear in a recent interview when it stated that insurance companies are being deliberately targeted.
“Not because they want to target the insurance companies themselves,” he said, “but because they want to find out who their customers are. The whole purpose of their attack is to find that customer base because then they know they’re probably going to get paid out following their [attack] because the companies they target will have cyber insurance policies.”
The first question on everybody’s lips after an insurance company is breached is always whether or not the attackers accessed the customer list, he said, a question neither the insurer nor the hacker is inclined to answer.
Lock can also see a shift in responsibility taking place across the insurance market. Companies that previously may not have considered it their responsibility to put breach protection controls in place because they had an insurance policy are now paying attention to the rumours that insurance companies are no longer going to cover ransomware attacks. This has put that responsibility back on these organisations and created an interesting market dynamic that he believes will be interesting to see as it unravels over the next few months or so.
“The reality is that everybody’s a target,” he said. “What has been quite surprising for me is that [threat actors] are now going after smaller companies as well… But then you don’t need to be a massive corporation to be a target, you can be a small corporation with a lot of valuable data.”
The unfolding cyber threat landscape can seem quite daunting but the good news is that there are certain actions that companies, insurance or otherwise, can take to protect themselves against cyber incidents. For Lock, and his team at Varonis, the focus is on “reducing the blast radius” of businesses. This means that companies need to take the actions necessary to ensure that, if they are compromised, they have reduced their attack surface area.
“We’ve been preaching what we call ‘least privilege’ for a long time, which is basically just ensuring that the right people have access to the right data,” he said. “So, it’s about really simple fundamental controls that you put in place to make sure that you know where your data is located and that information you shouldn’t be holding on to is moved, off-site archived, or ideally deleted. Because if you don’t own it, it can’t be stolen.”
Least privilege or ‘zero trust’ is a great way of ensuring that, should a breach occur, you can swiftly identify what data has potentially been impacted, he said, because you understand what data certain accounts have access to. Visibility is key and businesses need to have the right structures and permissions in place to build good data governance
“The only way to do that is to get the businesses to do it themselves. We’ve been talking about this for years - get the business involved, get them to understand that they should make decisions about access and make sure that you’re actually monitoring those routes in and out of the network,” he said. “To enable this, it really helps if companies invest in implementing behavioural model monitoring, as this will put them in a much better place to determine whether an action that’s occurred is out of character for the individual who carried it out.”
The increased scrutiny levelled at internal data protections is keeping Varonis very busy, Lock said, and retrofitting a tight-knit security layer over companies’ operations is a time-consuming task as many have simply never done anything like this before. It’s well worth the effort, however, he said, as evidenced by a major construction company, responsible for building Nightingale hospitals, which was recently hit by a breach.
“The reason why they weren’t impacted as badly as they should have been, is because of all the work done beforehand to reduce their blast radius,” he said. “Before, they just had so much data exposed to everybody in the company so we just spent a lot of time going through that in a methodical and automated way, just locking down access. And they will attest, day in day out, that if they hadn’t have done that work beforehand, the impact of the breach would have been far worse.”