This surge in nefarious cyber activity kicked off when global lockdowns saw millions of employees working remotely and logging in from their unsecured home computers.

According to the Fortinet Global Threat Landscape Report, 80 percent of organisations experienced one or more data breaches during 2021, with a tenfold increase in ransomware attacks alone.

Patrick Evans, Chief Executive Officer of SLVA Cybersecurity, says that cyber threats are increasing at a rate far greater than the industry is able to cope with, and small and medium enterprises (SMEs) are particularly vulnerable as the financial impact falling victim to these security breaches can result in their total collapse.

A sobering thought when you consider that 43 percent of cyberattacks are aimed at small businesses, according to Accenture’s Cost of Cybercrime Study, and only 14 percent are adequately prepared to defend themselves.

As the business landscape rapidly evolves, simply keeping abreast of technology advancements and security vulnerabilities is no longer enough, Evans warns. Data breach risks need to be managed strategically, and this requires a very specific skill set.

“Previously CIOs and CTOs were expected to take data security into their fold, but if anything is clear from the increasing threats in recent years, it is that there is a need for a separate security role,” he states. 

The importance of a CISO

This is where a Chief Information Security Officer (CISO) comes in, and business owners are starting to realise the importance of this role in their organisations. “Even if a company has an accomplished and technically skilled team on board, utilising the services of an advisor with decades of experience on how to mitigate the risks and implement up-to-date security measures is invaluable,” says Evans.

Not all organisations, however, have the budget or even the need for a full-time CISO, and there is currently a shortage of skilled cybersecurity professionals.

The answer to this is a virtual or fractional CISO – an outsourced security practitioner who, drawing on a wealth of experience in the cybersecurity industry, can provide valuable insight, advice and mentorship to help prevent an attack or recover from one, usually part-time and remotely.

Evans outlines some of the challenges facing organisations and how a virtual CISO can help:

Cyberthreats are increasing rapidly

There is a huge increase in the number of threats facing organisations, with ransomware becoming increasingly more prevalent.

The LexisNexis True Cost of Fraud Study reports that cyberfraud in South Africa has increased by 41.5 percent since 2019, and new data from Mimecast’s State of Email Security 2022 report found that 60 percent of South African organisations had suffered a ransomware attack in 2021, up from 47 percent in 2020.

“Ransomware does not select the type of company that is attacked; it looks for the weakest attack surfaces. SMEs, educational institutions, and those in manufacturing and other verticals are often the subjects of the most severe attacks, which can be financially crippling.” This is partly because these industries have been slow to adopt a security-first approach or do not have the funds to onboard a full-time information security officer. “It’s a catch-22 situation. The most vulnerable are the ones who do not have the resources to adequately protect and mitigate attacks,” says Evans.

Financial impacts are severe

The financial impact of falling victim to a cybercrime, especially as an SME, can be devastating.

The average cost of recovering from a ransomware attack is approximately USD$1.85 million, according to research from cybersecurity firm Sophos. Businesses, especially small and medium ones, can ill-afford such an attack.

According to Evans, “Cyberattacks do not simply take down a website. They can completely shut down business processes and, worse still, hold a company’s entire IP or customer database for ransom.” The result is a complete shutdown in order to recover the business, and the added risk of penalties and fines from regulators as a result of data protection laws. In many instances, these risks are not quantified nor are there adequate risk mitigation and recovery procedures put in place. “Many times, it is a tick-box exercise without ongoing processes to ensure continued compliance and protection.”

Shortage of skills

There is a dire shortage of cybersecurity skills globally. Fortinet reports that 60 percent of organisations struggle to recruit cybersecurity talent, and South African skills are at an all-time low, with many CISOs leaving for lucrative opportunities abroad. Combine the increase in cybercrime with the shortage in cyber skills, and we have a perfect storm brewing.

The answer? A virtual or fractional CISO

Fortunately, there is a solution. Virtual or fractional CISOs (vCISOs) provide those that need it most with solutions to fit their needs and budget and go several steps further than simply box-ticking. “SLVA Cybersecurity offers this service to SMEs and other businesses that have neither the need nor the funds for a full-time security officer. These virtual CISOs are industry veterans and offer expert advice for a fraction of the cost,” shares Evans.

SLVA works with customers to develop fit-for-purpose, fit-for-budget solutions, ensuring that they receive exactly the CISO service they need to remain on top of the industry’s most pressing challenges, no matter their size or budget. “There are different CISOs for different purposes. Together with my co-founders, Steve Jump and Andrew Odendaal, each with over 20 years’ experience in the information and cybersecurity industries, we identified the different CISO roles that organisations typically need.”

These include:

• Interim vCISO: Your organisation may require an acting vCISO while you source someone new for the role. The interim vCISO can fix urgent issues and put in an action plan to take your company to the next level of cyber resilience. They can also assist in finding a suitable full-time CISO.
• Shadow vCISO: If you have decided to employ someone with only a few years’ experience and “grow” your own CISO, a shadow vCISO can be provided to nurture and groom the unseasoned employee. 
• Mentor vCISO: If you are worried about your company’s current security function, you can hire an industry expert to coach and mentor your current CISO or CIO. 
• Post-compromise vCISO: After an attack or security breach, you may need to bring in someone with extensive, post-compromise recovery experience to help you deal with the aftermath while your CISO carries on with business as usual. A post-compromise vCISO, who has weathered many breaches, including ransomware, can offer invaluable assistance.

Almost every category of cyberattack increased over the course of 2021. The number of encrypted threats spiked by 167 percent, ransomware rose by 105 percent, and intrusion attempts climbed by 11 percent.

Cyber economy research giant Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year, reaching $10.5 trillion USD by 2025. 

Despite this, a PWC survey of security and technology executives last year showed that only 55 percent of cybercrime victims believed they were ‘well prepared’ to address these breaches — and 45 percent weren’t.

Proactive threat intelligence

In today’s world, ‘well prepared’ will never mean ‘invulnerable’. Faced with such a rapidly evolving threat landscape, it’s virtually impossible to address every risk.

In fact, The Cyber Security Intelligence Agency reports that only 50 percent of organisations are remediating fewer than 15.5 percent of their vulnerabilities monthly, says Patrick Evans, CEO of specialist cybersecurity solutions provider SLVA Cybersecurity.

“IT managers are suffering from vulnerability fatigue. They’re caught in an infinite loop of testing and patching, draining resources and accumulating costs, often getting attacked through a vulnerability they were unaware of. Organisations must start moving away from trying to fix all vulnerabilities to focus on those that matter.”

Gartner’s Top 10 Security Projects for 2020-2021 report recommends risk-based vulnerability management: “Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity, and internal asset criticality to understand real organisational risk better.”

The use of vulnerability scanners is no longer sufficient, often overwhelming security specialists with the volume of vulnerabilities to remediate. “Not all detected vulnerabilities require immediate action,” says Evans. “Context is important. It’s not uncommon for organisations who take security seriously to use tools like vulnerability management, vulnerability prioritisation, breach and attack simulation, and pen testing – providing multiple vulnerability ratings that remain siloed. To be truly effective, a single, more comprehensive risk console is needed.”

New landscape, new solutions

An effective, comprehensive strategy today leverages threat intelligence and threat actor landscape to assign a tailored risk score to identified vulnerabilities.

To bring such a solution to local shores, SLVA Cybersecurity recently became the distribution partner and reseller for HivePro in South Africa. “With HivePro, security teams get a view of all their current approaches and where the top 15 percent of vulnerabilities lie so that they can prioritise those threats. Importantly, this happens on a continuous and evolving basis,” says Evans.

HivePro’s Uni5 uses the current known vulnerabilities and threats to provide a unified view of the true vulnerability risk in an organisation. It is the only vulnerability prioritisation technology that contextualises risk by checking the efficacy of an organisation’s compensatory controls, providing actionable intelligence for rapid vulnerability remediation.

Users see a combination of asset criticality, external threat context, internal compensatory control and patch intelligence to proactively reduce their attack surface before it gets exploited.

Uni5 uses four different groups for risk scoring: The first shows severe risks that could affect the organisation’s most critical assets and require immediate patching, the second group contains moderate threats to critical assets, the third shows high risks to non-critical assets and, lastly, moderate risks to non-critical assets.

Uni5 also orchestrates patch and configuration management to fix vulnerabilities, taking threat priorities into account. “These strategies are the way forward for organisations looking to take their threat intelligence to the next level. Perfection might not be possible in today’s ever-changing threat landscape, but proactive protection is,” says Evans.

As HivePro’s local distribution partner, SLVA Cybersecurity provides a zero-cost proof of value to clients, providing an immediate snapshot of the top 15percent of vulnerabilities that will place the business at risk. MSSPs, service providers and resellers can also partner with SLVA Cybersecurity to provide this solution to their clients