C-level leaders have realised that ransomware is a business problem that won’t simply go away upon paying the ransom. Rob Shapland, the highly regarded cybersecurity trainer, argues that companies that have a holistic view can better plan for threats, prevent lateral movement, and control the narrative in the aftermath of attacks.
The sheer number, persistence and sophistication of ransomware attacks have gone up in recent times. In 2021 alone, a staggering 623 million attacks happened. All trends indicate that 2022 has headed in the same direction. In the same period, the number of ransom payments that have hit the million-dollar mark has gone up. Not just cybersecurity leaders, but the entire board has begun to pay closer attention.
To make sense of these trends and see how leading organisations are moving forward, we sat down with Rob Shapland, the Head of Cyber Innovation at Falanx Cyber. He is a highly regarded cyber security awareness trainer, ethical hacker and cyber security commentator. He has appeared on Good Morning Britain, ITN News, BBC’s Victoria Derbyshire show, Channel 4’s “Joe Lycett’s Got Your Back,” and Talk Radio Europe. Here, he offers a gritty yet ultimately optimistic analysis of the situation.
Head of Cyber Innovation,
Rob Shapland is an Ethical Hacker and Head of Cyber Innovation at Falanx Cyber. He routinely appears on TV and media to talk and inform about the latest in cybersecurity. He also specialises in red teaming, cyber security awareness training, social engineering, penetration testing and cybersecurity consultancy.
Cybersecurity Has Changed Fundamentally
Rob cut his teeth in cybersecurity as a penetration tester. This was nearly 15 years ago, when cybersecurity was still an esoteric area of business that fell within the remit of technical leaders (the role of CISO had been only recently created, in 1995). But soon, cyber-attacks would mushroom, and so would cybersecurity in response.
Today at Falanx Cyber, Rob specialises in Red Teaming. Red Teams combine technical and social engineering skills to simulate sophisticated, full-scale attacks on their client’s most valuable physical and digital assets. Thus, they expose their client’s weaknesses before real malicious actors find them.
“You’re dressed up as a Hollywood film producer,” said Rob, describing what Red Teaming is like to CEO.digital “You get yourself past security, reception, and get inside the building, and if you can get in, in such a way that you are trusted, then there’s a problem.”
He has done Red Teaming work for FTSE 100 companies, and it used to be more centralised. But recently, something has dramatically changed.
“Decentralization of work and people working from home has made it easier for criminals,” argued Rob. “Before, if I was targeting a company, I knew they were based in a central office. They would have secure connections to that office and so on.
“Now, suddenly you had every employee working from home on their home Wi-Fi router with no secure connection.”
The result? A growing attack surface. More points of entry. Easier penetration.
The Response to Cyber Threats Is Also Changing
Responding to this new hybrid reality has been one of the top C-level agenda items. While many companies have adopted VPN as a security measure, VPNs are also notoriously slow and don’t always provide the best employee experience. And when your organisation has hundreds of mission critical applications and employs thousands of people across the world, employee experience is vital for productivity. That’s why Zero Trust is gaining currency.
Zero Trust networks make access both safe and seamless. They break the implicit trust in the network and make lateral movement of ransomware extremely difficult. But buyers, be aware.
“If everyone transitions to zero trust, new attacks are going to come out still. It’s not going to end. Attackers are always going to find new methods of bypassing it. But it’s certainly a good approach.”
Zero trust is just one side of the equation. On the security operations side of things, companies are integrating their tools into a holistic system, under the umbrella of Extended Detection and Response (XDR) or Managed Extended Detection and Response (MXDR). Through this, companies acquire greater automation, complete attack story, and much higher precision in response.
But, again, Rob’s enthusiasm for XDR is tempered by his realism.
“If I was advising an enterprise on what to get, XDR is one of the first things I would be saying. . . It’s a good starting point because you can detect anything weird going on. But it’s not foolproof. Nothing’s ever going to be foolproof.”
What the C-level don’t realize is just the impact of not being able to operate as a business. You are going to be offline for a period. That means no email, no communication between employees, no ability to talk to your clients, not even an idea of who your clients are, unless you’ve written it down on paper or they’re in people’s memory.
Rob Shapland Head of Cyber Innovation, Falanx Cyber
Taking a Business-First, Reputation-Centric Approach to Cybersecurity
Rob’s view is that cybersecurity is always going to be a temporary solution to a permanent problem. As long as companies have valuable assets, ransomware attackers will go after them. So, business leaders would be well-advised to take a holistic, business-first, reputation-centric view of cyber threats.
He wants C-level leaders to extend their vision past the ransom money and see the colossal damage ransomware attacks can do to the business operations, brand equity, customer trust and future viability of the company.
“What the C-level don’t realize is just the impact of not being able to operate as a business,” Rob said. “You are going to be offline for a period. That means no email, no communication between employees, no ability to talk to your clients, not even an idea of who your clients are, unless you’ve written it down on paper or they’re in people’s memory.
“Then, after you’re up, you must phone those clients and say, we’re back online, but we believe that your data is out there with a criminal group. Then, the [customer] questions come back. What are you going to do?”
Accounting for all these things before the attack happens will save you a lot of grief later. At the moment, C-level leaders are so focused on just the ransom money that they often lose sight of the business impact.
As we reached the end of the interview, Rob emphasised the importance of communication during crises. A great deal of customer trust can be retained if companies simply acknowledge mistakes, take charge of the situation, and communicate key information about the breach. Nothing too specific. Nothing too vague. Just what customers need to know to be reassured that they’re in safe hands. He cites the recent CISCO data breach as a good example of how companies can own up and manage the narrative.
Internally, more hands-on, scenario-driven training, rather than once-a-year, online refreshers, will help companies stay on top of their cyber game.
So, it all boils down to one question: do you have a business-first approach to cybersecurity?
Learn More About Falanx Cyber
Falanx Cyber puts enterprise-class cyber security services within reach of every organisation. They identify areas of cyber risk threatening the integrity of your business and provide complete end-to-end managed cyber security services to alleviate those risks.