The global pandemic and more recently, the invasion of Ukraine has heightened concerns over cybersecurity attacks. Whilst the continued shift towards “hybrid” working has created major gaps for hackers to gain access to sensitive information. But there are key steps that can be taken to safeguard against cyber threats as Joel Rennich, Head of Device Identity, JumpCloud and Matt Middleton-Leal, Managing Director Northern Europe of Qualys discuss.
In our cyber security roundtable Joel Rennich, Head of Device Identity, JumpCloud and Matt Middleton-Leal, Managing Director Northern Europe of Qualys had this to say.
What is the current state of the security industry in your opinion?
Joel Rennich: “Security certainly has received more attention from small businesses due to the pandemic – they had to manage security and ensure that their staff could get access securely from home. Now, those projects have bedded-in – staff are more used to this way of working, and companies that support their employees in working effectively are more likely to retain that staff over time. When people have more choice in the job market, that is actually a great benefit to offer.”
“There are challenges around the growth of ransomware, and the geo-political instability at the moment does pose a risk. However, the most important response, as always, here is to get the basics done well.
Matt Middleton-Leal: “Attacks are evolving at a rate faster than the industry and the people who are responsible for security can keep up with. Organisations are often outdated in a lot of areas – for example, there are still many people running on just legacy antivirus software. Looking at the security landscape today, companies should move to more complex capabilities such as endpoint detection and response. While those older platforms provide some protection, they are clearly nowhere near where you need to be to protect against the level of threat out there right now.”
What are the key challenges or threats affecting the channel?
Joel Rennich: “For channel companies, security is a market that will continue to evolve. There is no end to the new threats getting launched and software vulnerabilities found. So security management tools will always be in demand. The biggest challenge is how to help customers achieve their goals when their teams are pulled in multiple different directions at the same time. IT administrators have so many things to think about – helping those contacts to automate or consolidate their tasks so they can be more efficient is a natural opportunity to help.”
Matt Middleton-Leal: “From a commercial perspective, the challenge is to move away from purely providing resale of vendors’ products and look at more services with ongoing revenues. To succeed, the channel needs to hire people with the appropriate skills for this new approach, which is based on understanding customer needs and keeping in touch on a really regular basis to know what changes are taking place. However, the job market around IT is currently fiercely competitive and those people are hard to find.
“Channel companies can scale up with the appropriate people and solutions, they can help customers get value from technology faster. Those partners that don’t take that approach will not stay in business.”
What industrial sectors are experiencing increased threat and challenges of cyber security?
Joel Rennich: “The challenges around security today are pretty horizontal – all companies face problems in protecting their systems. The differences are in how many resources they have available to them to fix those problems and manage tasks. Small businesses in particular are thinly stretched, so they need the most help from service providers and partners to cope.
“Small businesses need more help to protect themselves against that increased threat that exists. The challenge is how to make this easy to achieve.”
Matt Middleton-Leal: “We are definitely seeing a big rise in threats around the Internet of Things. The number of ransomware attacks that affect IoT-type environments have skyrocketed.
“I think the perception is that all the hackers go after the banks, because that’s where the money is. That’s very, very outdated. Now the vast majority of breaches appear to be in the SME market space. Attackers go after those smaller organisations because they know SMEs can’t invest in the tools and people to protect themselves, and there is clearly a big skill shortage. So even if you do have the budget, you can’t find the people.
“The biggest risk factor we see is not industry but capability. There are attackers out there with a ‘spray and pray’ mentality, where they will just ping every organisation and look for poor configurations. They will go after the ones that have the worst set-ups in place, which will tend to be smaller businesses with smaller numbers of IT staff.”
Are there any new threats that have emerged recently? If so, what and how have these come about?
Joel Rennich: “There are plenty of new ransomware attacks taking place. Alongside this, there are attacks on user accounts to get access to cloud services or to applications that might host financial data. Protecting accounts with multi-factor authentication is a necessary step to prevent those kinds of attacks, or bad actors can get access to those services and use them for their own ends. This might involve cryptomining, or using that application account as a bridge to steal information or implement a more serious security breach.”
Matt Middleton-Leal: “There aren’t new threats, but there are new vulnerabilities in systems which enable people to build new, more sophisticated attacks and strategies. If you look at the Log4Shell or Pwnkit vulnerabilities, those are the new risks, and the threats come after those vulnerabilities are discovered. It’s an arms race to see who’s going to find those loopholes.
“To defend against this, it’s about getting the basics right. For example, we still see sites vulnerable to cross-site scripting, which has been known about for fifteen years. This is purely because they do not carry out the appropriate testing regimes. Applications will be released before adequate penetration testing has taken place.
“Whilst a lot of this has to do with budget and skills, some organisations don’t have the money and have to go for a cheaper option. Lastly, there is always human error to consider too.”
What advice would you give to the tech channel to help safeguard their business?
Joel Rennich: “Look at how you manage user identities. This is the starting point for successful security projects like zero trust. This is based on establishing a secure chain across IT resources, rather than simply trusting someone is who they say they are at the start.
“If you are a MSP, then you can build out your services to small and mid-size businesses around directory and identity services. SMBs have been under-served in this market because the traditional products here like Active Directory are built for enterprises with thousands of users. They often require on-premise hardware too, which SMBs don’t tend to want today. Offering cloud directory services that can deliver user management and integrate other IT admin tasks can be a strong foot in the door with a stressed sysadmin.
“Finally look at services that can increase security and, at the same time, increase user experience. Many security tools and methods are ignored by users because they are just too complicated to use. In order to win the hearts and minds of your users, you have to offer them functionality and ease of use in addition to security.”
Matt Middleton-Leal: “Eat your own dog food! Security vendors provide these tools and they are effective. Apply those same solutions internally and make use of them to improve your approach. You should have specialists and consultants as part of your offerings and you can use their skills as part of your approach.
What new threats or challenges is the consumer industry facing in regards to cyber security?
Joel Rennich: “Everyone faces attacks on their personal devices and accounts. Protecting them involves the same approach as business applications should have in place – use multi-factor authentication for your accounts where it is available.”
Matt Middleton-Leal: “The number one risk is phishing, this is still the single biggest risk to the consumer market. It’s so widespread, because people are using their laptops to do banking and use digital services. There are little things that you can do, like checking for spoofed email addresses.
“The second risk is simple – people don’t update, you go on people’s laptops and they have not rebooted it for eight or so months. And it’s got a huge stack of updates pending. So guess what? That machine is vulnerable.”
“Helping people get their security right by making it easy and automatic can help consumers the most.”
How can businesses look to simplify their security infrastructure to manage all endpoints and areas that could come under attack?
Joel Rennich: “Consolidating services will help IT sysadmins to get more done and cope with the huge amount of requests and work that they have to deal with. For example, simplifying user identity management can help those businesses reduce their costs and improve their efficiency. However, this can also be an opportunity to implement integrated multi-factor authentication and single sign-on support at the same time. Rather than running multiple tools with separate licenses, businesses can consolidate their approaches and save on costs.”
Matt Middleton-Leal: “Companies have to understand what their risk exposure really is. This means looking at what the business does, what tools they use, what security they have in place. Alongside this, they need to design how they protect themselves for the next ten years. After this, the team can look at the capabilities they have, and then they might have a better chance of actually coming up with the right answer.
“The biggest challenge to this is that most teams start at the bottom and look only at tools, or adding another solution. However, the most effective long-term approach is to look at how they’re doing things overall, and re-architect the approach to make the most difference. This doesn’t happen overnight, but it can have the biggest impact.”
Just how sophisticated are the attacks becoming, who are these attackers?
Joel Rennich: “Attacks are more sophisticated than they used to be. However, that is because there is more effort going into finding potential issues and fishing them. There will always be more issues that get found in software, but these are getting found and fixed.
“The challenge here is how those fixes get deployed. Microsoft Windows is built to be managed at scale by businesses, and patch management is part of how sysadmins work. However, Apple MacOS devices put all the control into the hands of the user, which can make getting consistent security and update management more difficult for IT administrators.
“Without good patching in place, attacks don’t have to be sophisticated to succeed. Those problems can be exploited easily.”
Matt Middleton-Leal: “This is an arms race – we increase our protection, and attackers look for more and more sophisticated ways to breach that security. The threats are the same, but the vectors change based on the configuration that is in place.
“Having said this there are still targeted attacks that go after money or IP. They are typically going to be nation state type attacks. If you can get military secrets or a plan for the next power plant, that could be of huge value.”
What future threats should companies be aware of and how can businesses ensure they have means of protection?
Joel Rennich: “Companies today use more cloud computing services, and those accounts are valuable. Compromising accounts is one of the fastest ways to carry out a security breach. That is why the UK’s Cyber Essentials programme has been updated this year to include using multi-factor authentication for accounts with cloud services and applications.
“Taking advantage of capabilities like these is the best way to prevent those new and future threats, as it stops attackers being able to get access.”
Matt Middleton-Leal: “One element to consider is the human factor – people will always make mistakes, and those errors can open you up to potential attacks over time. This could be a poorly configured cloud service, or a missed patch, or someone missing out on steps that they should take to harden an application against attack. Detecting those issues will be just as important as spotting software vulnerabilities.
“Companies have more and more software, and more and more cloud services in place. This complexity can lead to issues. Checking all that infrastructure, knowing what you have and whether it is set up properly, will need more automation in order to be carried out effectively and easily.”
How are recent challenges such as the virus and other recent critical issues in Europe represent major threats to businesses in regards to cyber security and cyber attacks?
Joel Rennich: “There is a huge amount of turmoil right now, and it comes straight after the pandemic led to huge changes in working practices for companies large and small. Those businesses – particularly at the SMB end of the spectrum – have had to look at how they manage security for those remote and mobile workers.
“Those that adopted identity first approaches and used zero trust methods to support those staff will find that they can handle the challenges that are around the corner much more easily than those that did not invest and tried to muddle on with their existing tools, or that relied on users to manage themselves independently.”
Matt Middleton-Leal: “Getting the basics right will make the most difference to security. That means knowing what IT assets you have in the first place, whether those assets are up to date, and then prioritising any fixes that are needed. With all the complexity in IT today, getting that right can make a huge difference.
“This can help defend your systems whatever comes up during the current problems, and help prepare for the future.”
Read the latest edition of PCR’s monthly magazine here: