A giant mistake many organizations, IT admins, and even outsourced I.T. service providers make with regards to cybersecurity is focusing on the solution before understanding the threat. While it’s positive that an organization is thinking about its cybersecurity posture and what it needs to do to improve it, without understanding the threat, the organization will likely decide to implement cyber defenses that seem obvious but deliver little protection in the absence of other more important defenses. This unfortunate reality was validated during our recent attendance at a large cybersecurity conference where we had the opportunity to speak to cybersecurity experts and other I.T. service providers from all over the country.
Before architecting and implementing a cybersecurity defense strategy, it’s critical to understand what the threat landscape looks like. Not only are threat actors constantly changing their techniques to improve their rate of success and evade law enforcement, but what organizations hear from the news or other information outlets rarely paints the whole picture.
Ransomware, for example, is clearly top of mind for most organizations. It’s all over the news, and organization leaders seem to have a “drop everything” attitude when it comes to addressing the ransomware threat. This is a bit misguided, though. According to the latest threat reports from industry analysts, less than 40% of all cyber-attacks in 2021 involved ransomware. While that’s still a high percentage, it’s not the primary strategy employed by threat actors today. After the Colonial Pipeline attack gained so much attention, threat actors realized they had a giant target on their backs and had to shift their strategies accordingly.
So, where is the greatest threat? Identity and access. Simply put, bad actors want your user credentials. In fact, 82% of all cyber-attacks in 2021 involved the compromise of a user’s credentials. To gain these credentials, threat actors leveraged two primary methods: Dark web repositories from previous data breaches, and email phishing. With these credentials, the bad actors logged into corporate systems undetected and sent communications from a trusted internal user account to decision-makers, money handlers, and third parties. The communications typically involved money transfer requests, access requests, or other attempts to further infiltrate the organization. Threat actors have found that it’s much easier to fly under the radar with these attack strategies, and it has clearly been more successful monetarily compared to ransomware.
Another shocking statistic from the 2021 threat report pertains to on-premises Microsoft Exchange servers. While most of the world has migrated to Microsoft 365, some organizations still host their email on in-house Exchange servers. Last year, 25% of cyber-attacks involved exploitation of vulnerabilities in on-premises deployments of Microsoft Exchange. Of those, most of the attacks exploited vulnerabilities that did not have patches available from Microsoft. This means that the exploitation wasn’t the result of the organizations’ failure to patch their systems as many would assume.
The Backwards Approach
Understanding these recent statistics, it seems pretty obvious that organizations should prioritize implementing strong defenses for their email and identity systems. As we spoke with other I.T. service providers, though, we were shocked to hear that these were often the lowest priority items, or simply not addressed at all in their defense strategy. They told us their focus was on the solutions their customers were asking for, such as Endpoint Detection and Response (EDR), ransomware protection, and Security Information and Event Management (SIEM). And it’s no surprise they are asking for these things. Cyber insurance providers specifically ask for those technologies on applications, and cybersecurity solution vendors push these technologies as the one-stop shop for cybersecurity. While these are certainly important layers to include in any cyber defense strategy, they are all “last line of defense” solutions. If they are invoked to identify or stop an attack, the threat actor has already infiltrated the infrastructure far more than it should have been allowed to.
Assuming budgets are constrained, and a decision-maker must choose between investing in preventing an attack or detecting an attack, most would choose to prevent the attack. But that is not how they are presented with the options. Instead, decision-makers, I.T. admins, and service providers alike recommend what they hear and see instead of taking the time to understand the threat and prioritize their defenses accordingly.
In our talks with other I.T. service providers about cybersecurity strategies, it was very clear that most managed I.T. service providers (MSPs) didn’t have a firm understanding of the threat landscape or didn’t know how to translate that into a solution offering for their clients. This is what truly distinguishes mature MSPs, such as Digital Boardwalk, from the competition. Being able to push back against customer demands and develop a cyber defense strategy based on a formal evaluation of risk, operations, and budget is a rare but crucial trait of a mature MSP.
What’s the solution? What cyber defenses should organizations implement and in what order? It would be foolish and misguided for us to say since the landscape is ever-evolving. However, organizations should certainly prioritize the implementation of controls that limit their exposure. Using an advanced email threat protection platform, beyond the capabilities built into Microsoft 365 or Google, can significantly reduce end-user exposure to phishing attempts. Mandatory enforcement of multi-factor authentication (MFA) organization-wide can also significantly reduce exposure to credential compromise. Of course, the best first step is to engage with a mature MSP that can evaluate your organization’s current cybersecurity posture, consider the current threat landscape and what risks your organization is specifically exposed to, and develop a cybersecurity defense strategy based on the risks, your objectives, and your budget.