Why now is the time to go on the cyber offensive

Estimates put the cybercrime bill at £3.1bn in the year to June 2022.
In the wake of alarming cybercrime figures that continue to plague the UK economy, ThreatSpike Labs founder and CEO, Adam Blake, shares his solutions.

No one would argue against the premise that cybersecurity is vital for every business in the UK today. As a society and an economy, we are learning – sometimes the hard way – that cybercriminals are determined, resourceful, and cunning in their relentless campaign to infiltrate our businesses and make off with ransoms, trade secrets, and customer data.  

The cost to the UK is eye-watering, with estimates putting the cybercrime bill at £3.1bn in the year to June 2022. It is not what our country needs as we navigate choppy economic waters. And, of course, behind those raw figures are the multitude of small and medium-sized businesses (SMBs) recognised as the engine driving the British economy. When they are hit with a ransomware attack or data privacy breach, something 39% experienced in the past year, they struggle to recover financially, legally, and reputationally. Many don’t survive. 

So far, so dismal. But the UK government knows it needs to do more to help SMBs defend against cyber-attacks so they can continue playing their vital role in economic recovery. Recently, the National Cyber Security Centre (NCSC) has launched two flagship new services designed to “help small businesses stay secure online and protect their livelihoods.” 

The Cyber Action Plan is a short online questionnaire about cyber security covering topics such as password hygiene, MFA, back-ups, and anti-virus, with the results informing tailored advice for businesses on areas they can improve. Check Your Cyber Security is a remote tool that conducts online checks to identify common vulnerabilities in public-facing IT, such as website and IP addresses. 

Launching these free tools is a step in the right direction towards elevating the cyber security posture of the UK business ecosystem, but we can do more. In fact, we must do more to address the chasm between the free basic cyber security tools NCSC offers and the high-cost, high-impact security accessible only to large organisations. Right now, smaller and medium-sized businesses are caught in a catch-22 situation where they need more than basic protection. Still, their budgets and in-house resources don’t stretch to what most security service providers offer. 

This doesn’t just put those businesses at continued risk but also their commercial partners in supply chains. A breach of the weaker defences of an SMB can quickly result in cyber criminals gaining access to larger partner businesses through this less well-protected channel. 

Making a case for offensive cyber security 

Most SMBs manage to get the basics right – and the new NCSC services will help them to do so – regarding anti-virus, policies on password hygiene, multi-factor authentication, and so on. These static pillars of cyber defence raise the virtual walls around the business and defend against unsophisticated attacks.  

What is missing is the nuanced, industry threat-specific testing that will uncover how a determined and inventive adversary could evade those defences. I’m talking about offensive cyber security, employing a third party to conduct vulnerability scanning, penetration testing, red team exercises that simulate real-world attacks, and social engineering exercises targeting company employees to show where education is required. 

At ThreatSpike, we know that offensive cyber security is needed. Our work across the full spectrum of industries and company sizes reveals that the average company can be hacked and ransomed within a day by a determined attacker and that a hacker gaining access to a single machine in a business creates a 90% chance of a significant data breach. Concerningly, multi-factor email security can be bypassed 80% of the time and, to compound the issue, 70% of staff will not report receiving a suspicious email.    

Some form of offensive cyber security is already in place in most large organisations. Still, its high cost – typically around £1000 per day for penetration testing alone – puts it out of reach of SMBs. Nor do they see the value when a typical penetration test is only point-in-time and doesn’t deliver lasting value. 

We believe that for offensive cyber security to fulfil the proper role in protecting UK Plc, it needs to be more accessible and relevant to the needs of SMBs. That means using automation to offer a continuous security assessment for emerging threats while delivering regular red teaming and social engineering attack simulations to test technical and human-layer defences. Of course, it also means doing this at a price SMBs can afford – effectively democratising offensive cyber security. SMBs need a flat rate, affordable service with no nasty add-ons or surprises. We believe this is eminently achievable.     

Make no mistake; this will not go down well with traditional penetration testing companies, who for too long have obscured the “dark art” of offensive cyber security, keeping prices artificially high and pricing smaller customers out of the market. But this disruption needs to happen if we are to tip the security scales in favour of UK Plc as a whole. 

We also need greater knowledge-sharing and transparency around offensive cyber security to enable more organisations to understand how it is conducted and how those with in-house resources can carry out offensive cyber security activities. We’re working at ThreatSpike to develop online resources that help companies get to grips with offensive cybersecurity testing techniques because we believe every business deserves better cybersecurity.  

And it will benefit us all. Shoring up security in smaller companies has a rising tide effect, improving the security posture of the whole UK and making us more robust as an economy and better able to weather the economic and cyber storms we face. That has to be a path worth exploring.   

 

Share

Featured Articles

Bridging the Gap: Examining the UK-US Data Bridge

The UK-US Data Bridge was created to replace EU data frameworks and allow the exchange of personal data whilst still adhering to agreed rules

Hiddenlayer CSO Tells Why It Made an AI Security Council

Chief Security & Trust Officer at HiddenLayer Malcolm Harkins explains why the company felt the need to create an AI Security Council and its objectives

Cooperation Key Theme at Microsoft Endpoint Security Summit

The Microsoft Endpoint Security Summit brought together leaders in the cybersecurity industry to discuss strategies for securing endpoints on Windows

Why the UK is Listing Data Centres as Critical Cyber Assets

Cyber Security

Trustwave Reveals the Financial Sector's Cyber Threats

Cyber Security

TCS and Google Cloud Join for Solution to Secure the Cloud

Technology & AI