How Trustworthy is Your Cyber Defense?

Make your cybersecurity spending pay off with added defense tactics and provider accreditation

By Tom Brennan, Chairman, CREST USA

Cyber criminals are branching out from the big guys, the Facebook-type large scale breaches, to the small-to-medium-sized enterprises. A new global study by Analysys Mason shows SMB’s are paying attention: they estimate SMBs spent $57 billion on cyber-security in 2020, and anticipate this figure hitting $90 billion in 2025. By nature, SMBs work with less security budget and staff. For SMBs, and even for companies with deep pockets, your cyber defense investment has to be just the first step in a powerful threat defense.

The threat universe in which we do business today is an equal-opportunity one. The rise of ransomware-as-a-service and the ability to purchase malware on the dark web has lowered the barrier to entry and made cybercrime accessible to anyone. The result is that no sector or size of company can ignore these targeted or indiscriminate attacks.

Understanding the Cyber Attacker

This expanding threat climate makes it all the more important to understand what data is attractive to an attacker and to discover where your security weaknesses are so you can fix them before someone else finds and exploits them. The best way to discover where vulnerabilities lie is to simulate malicious attacks, from inside or outside of the organization, in order to see how easy it is to break into your network and steal valuable data or deny access to critical assets.

The practice of this type of simulation is called penetration testing. Demand for this very skilled, technical, and clearly very sensitive investigation and analysis, has seen a rapid rise in demand. While penetration testing has traditionally been associated with government organizations and large financial institutions and corporations, it is now commonplace among medium-sized companies and the wider public sector.

Verify Penetration Testing Knowledge

Evaluating the trustworthiness of a third-party provider to conduct penetration testing has to be part of your improved threat defense. You need to have confidence and trust in a specialist company that delivers this service regarding how information and knowledge is handled and processed. Seek out an accreditation that will verify the level of knowledge, skill and competence of a provider in relation to penetration testing, cyber incident response, and threat intelligence. This accreditation also can apply to individuals within your organization who are part of your security operations team. These accredited providers and individuals need to stay one step ahead of cybercriminals and be well versed in the tools and techniques used in the most sophisticated attacks.

Another benefit of vetting your providers is the ability to tell your customers that their

data is adequately protected and that you take cyber security seriously. While larger organizations may have more security staff, if you’re an SME, you have to do more with less, and you have fewer reserves with which to survive a costly cyberattack. A good practice is to explore what are the baseline requirements for cyber hygiene in your organization: what can’t you afford to lose in terms of data, a computer asset shutdown, or in e-commerce, for example, a privacy breach of your customer’s information. This information needs to be integrated into your overall cyber defense, and a reputable provider should be able to give you a solid defense strategy for all items.

In fact, it has been shown that organizations with a basic level of cyber hygiene have not been affected by random attacks such as WannaCry. Accreditation also helps you better leverage your investment. The Analysys Mason study also found investment in third-party, managed security services to represent the largest segment from 2020-2025, an estimated $30 billion at a 14% CAGR. Getting the most qualified providers and individuals makes sense, given the substantial projected spend.

Evaluating Your SOC

Despite best endeavors, it is impossible to be 100% secure. If your business does fall victim to a malicious cyber security incident, your immediate task is to act as quickly as possible to limit the impact and damage. An information Security Operations Center (SOC) is often the first line of defense so there is an increasing demand to ensure that it is operating effectively. The difficulty lies in how to make this assessment when you’re using third-party services. It is impossible to assess capability based on marketing material and almost impossible to assess capability through a procurement process. To help to resolve this issue, it is possible to apply an accreditation process specifically to SOCs. This includes procedural audits, physical audits, and technical assessments.

Better Defense Benefits All

With billions being spent on cyber defense, it is good economic policy to put that investment to the highest, most effective use. Using penetration testing, seeking formal accreditation of your security service providers, and having a very clear picture of your most critical threats, will give you a more powerful, and trustworthy security foundation.

About the Author

Tom Brennan is Chairman of CREST USA, an international not-for-profit accreditation and certification body that represents and supports the technical information security market. In this role, he works with government and commercial organizations to optimize the value of CREST as a cybersecurity accreditation body and industry standards advocate. Brennan also serves as an industry evangelist and educator on the value of using accredited cybersecurity products and professionals to improve consumer privacy, security, and protection worldwide.