Cybersecurity in 2023: How to avoid paying a King’s ransom without breaking the bank

 |   Russell Craig, National Technology Officer, Microsoft New Zealand

Many businesses will have enjoyed a welcome break over the holiday season, unless they’re in one of several key sectors – retail, hospitality, tourism, and of course, cybercrime.

Many people still think of the stereotypical “lone wolf” hacker, testing the boundaries of major corporations simply for the thrill. Nothing could be further from the reality. Over the past few years, cybercrime has become a business like any other.

In these inflationary times, many legitimate businesses are looking to do more with less. For some, this might include considering cutting back on security spending. For boards and business leaders, who are held responsible for protecting their organisation’s data, it’s vital not to be caught asleep at the wheel. The question is, is it feasible, responsible or even possible to minimise security spend while keeping your data, operations – and reputation – safe in the face of increasingly sophisticated cybercrime?

Here are the key trends and solutions to look out for in 2023.

The growing risk landscape

Few cybercriminals develop their own technology anymore, when there are off-the-shelf, cost-effective solutions easily available on the dark web. If you want to “blow the doors” to an organisation’s defenses, someone’s got exactly the right software for sale. Or if you’re a ransomware criminal enterprise, you can approach brokers to sell you illegal access to compromised networks – and hire external “Ransomware-as-a-Service” teams that contact victims on your behalf, allowing you to scale up operations at a truly global level without needing any major technical expertise.

And globally, business is booming. The Microsoft Digital Defense Report, released in November 2022, paints a grim picture. Microsoft alone blocked more than 37 billion email threats and nearly 35 billion identity threats in the year to June 2022. New Zealand is not immune. Security providers belonging to the National Cyber Security Centre’s Malware Free Networks alliance have detected more than 169,000 threats to New Zealand since the middle of last year.

Where are the greatest risks?

Covid-19 was responsible for putting millions more workers online in less than a year, creating millions more potential points of access for cybercriminals. Yet as the new Microsoft Cyber Signals report shows, the use of IoT devices and operational technology (smart equipment) has also ramped up as organisations embraced automation. Unlike workers’ laptops and internet connections, securing these is often an afterthought. It’s the old “security through obscurity” mindset – expecting that because it’s such a small thing, no one could possibly find it or notice.

However, bad actors are increasingly exploiting these to gain access to businesses’ networks, scanning the internet for exposed devices. One unsecured IOT device means they can easily establish a foothold in a supply chain or disrupt an organisation’s operations, and harness all of these devices for crypto mining or attacks on other organisations.

How to become a tough target – at less cost

While no organisation can ever reduce the risks to zero, making yourself a tough target can make it too costly for cybercriminals to bother, sending them on to easier pickings.

The new adage to keep in mind is: assume your IT environment is already compromised, and don’t bring a knife to a gunfight. There’s no denying that cybercriminals can outgun almost any organisation on its own. That’s where leveraging technologies such as public cloud, which are developed, outsourced and continuously upgraded by teams of global professionals, can dramatically increase your security while reducing internal resource and investment in security infrastructure. For context, Microsoft’s own cybersecurity team consists of around 10,000 people, whose sole job it is to monitor and counter cyber threats.

But while the cloud reduces the need for individual investment, it’s still up to businesses to take care of the fundamentals. If you don’t have automated updates, make sure to download any patches as soon as they’re released. On average, 78 per cent of devices are still using unpatched versions of Microsoft software nine months after a patch is released – or in layman’s terms, leaving the front door keys under the mat. Also, around 98 per cent of cyber-attacks can be prevented simply by turning on Multi-Factor Authentication (MFA), which is standard across Microsoft applications.

Likewise, many corporate and public sector customers already have licences to advanced security software that they simply aren’t using. The Microsoft Digital Defense Report revealed that overwhelmingly, public sector organisations weren’t placing the right controls in place to restrict users’ access only to those parts of the system relevant to their role. Credential theft attacks remain one of most popular types. The damage is easily limited by the kind of software people already use every day, with more specialist digital identity tools available for complex situations.

The key is to ask IT partners to help you get the most out of what you already have, and help create effective security operations and data protection strategies. Having ineffective security processes doesn’t just provide opportunities for attackers – it significantly impacts the time it takes businesses to recover. Businesses can also save by upskilling their people so they know what to look out for, and how to manage issues quickly if the worst should happen. Good security hygiene can neutralise an awful lot of bugs before a little infection becomes a major cyber outbreak.

Have zero trust

The best safeguard against cyberattacks is to take a Zero Trust approach. This requires organisations to assume a hacker or bug is already inside their system. Everyone who uses workplace systems must verify their identity every time and permission to open files is restricted to only the people who need access – when they need it. It’s the digital equivalent of a security guard checking your ID every time you pass.

It may seem like adding extra layers of hassle, but good security isn’t just a negative – protecting against having your data stolen – it can also boost growth, efficiency and innovation. It enables organisations to be more confident about digital transformation and to try new technologies which allow them to do more for customers.

As inflation and interest rates put pressure on bottom lines in 2023, bear in mind that done right, cybersecurity systems actually reduce cost, while adding a whole lot of value.