Cybersecurity has always been a relevant topic to outsourcers and the Nearshore at large. By its nature, companies in the industry employ the services of a wide network of third party providers, stretched broadly across geographies and segments.
While only those in the industry may be familiar with the issue of concentration risk, anyone who has glanced at their cellphone or turned on television over the pandemic period has witnessed the rise of cyberattacks in the digital space.
But for company bosses worried about their company’s cybersecurity exposure, Christos Kalantzis, Chief Technology Officer at SecurityScorecard, a leading cybersecurity risk monitor and rater used by vendor managers to assess third-party risk, has some good news.
“Hackers are innately lazy and will move onto the next target if the barrier to entry is too high,” he told Nearshore Americas recently.
For that reason, it’s vital that Nearshore companies perform simple steps to protect their digital footprint.
Even before locks, hacks had hit some of outsourcings biggest names. In 2019, Indian outsource giant Wipro was hit by attackers who “were able to install remote access tools and get into the network of Wipro’s clients,” reported the Identity Management Institute (IMI). Aside from damage to its reputation and probable financial cost and/or penalties, the hack also cost the company a planned contract with the State of Nebraska to help upgrade its Medicaid enrolment system, said IMI.
KrebsOnSecurity, an IT security industry news portal, reported that the same phishing campaign that hit Wipro targeted some of its well-known competitors, including Infosys and Cognizant.
“Hackers are innately lazy and will move onto the next target if the barrier to entry is too high” — Christos Kalantzis
Phishing, a form of fraud by which intruders send emails purporting to be from genuine companies or individuals to introduce malware into a system or pursued a recipient to give up personal information, has become a rich vein for hackers to tap during work from home. In March 2020 as workforces made a wholesale adaption to fully-digital communication, there was a whopping 2,000% increase in malicious files that had “Zoom” in their name, while spear-phishing (email scams targeted at one specific or business) jumped 667%, according to Barracuda.
With such a jump in numbers, cybersecurity is difficult to guarantee. Even with companies extending the reach of their PCI compliance strategies into the home environment, few IT securities are ever completely secure.
Even simple errors can be costly; the Colonial Pipeline hack that paralysed the fuel supply of large parts of the US’ East Coast in May was caused by hackers stealing a single password.
Meanwhile, the recent hack of Kaseya, a Miami-based company that provides software to IT outsourcers, was hit by an attack that spread to its clients networks. Up to 1,500 clients were affected Reuters reported, while the hackers responsible demanded US$70 million to restore Kaseya’s operations.
For Nearshore companies that want to assure their business continuity, their reputations and their digital integrity, cybersecurity is now a primary concern. Events like the wildly successful IPO of cybersecurity start-up Darktrace demonstrate the potency of the cybersecurity sector, while Gartner has predicted that corporate security market will see growth of over 10% annually on average through 2024.
Cybersecurity in a Changing Landscape
According to Kalantzis, the cybersecurity landscape is changing. While the arrival of Covid-19 did accelerate corporate progress in digital transformation, the world was already heading along the path towards greater digital reliance. This has reshaped how we think about tech, Kalantiz argues.
“We used to think ransomware attacks targeted tech companies. But now, every company is a tech company. Every company has a component that is tech-based. That may be e-commerce or electronic data interchange. This is today’s reality,” he said.
While full suite security standards can price smaller Nearshore companies out of the market, there are simply steps that help dissuade hackers from attempting to do damage to a company’s IT systems. Because hackers usually send out ‘waves’ of attacks to gauge which systems are vulnerable and therefore worthy of persistent effort, companies should raise their cybersecurity standards to put them out of harms way, says Kalantzis. Hackers don’t want to be made to work hard.
They know there is a whole sea of low barrier targets so they need not waste time and effort on one particular company. This is why the recommendations we provide are important,” said Kalantzis.
1. Know Your Digital Footprint
“It’s amazing how many companies do not know the extent of their digital footprint, and if you don’t know what you’ve got then you can’t protect it,” explained Kalantzis.
There are a multitude of potential security platforms that can help companies understand the full reach of their online footprint, and can therefore begin the self-protection process. SecurityScorecard provides that digital footprint for around 8 million companies at present.
2. Scan and Monitor
“Once you know what you’ve got, scan and monitor continuously. That includes scanning from behind the firewall with a vulnerability management tool. It also includes scanning your public digital footprint from the outside in, as we do. You need to know what others see of your digital footprint, and that can only be by an outside scan performed by those who know what to look for and can do it continuously,” said Kalantzis.
3. Prioritize the Fixes
“Once you’ve scanned and have identified vulnerabilities, you need to prioritize what to fix. You have very likely found many points of exposure but there is only so much time in the day and the security landscape is constantly moving. New exposures arise all the time. It’s therefore important to prioritize what to tackle having decided upon your most important vulnerability risks,” he said.
4. Prioritization Depends on Context
“Having insights about which vulnerabilities (which CVE’s) threat actors are using to infiltrate networks is a must to help prioritize what to remediate,” said Kalantzis.
5. Remediate Findings
Having an Infosec team with all the right skills to remediate all possible findings is not a reality for most companies. However, SecurityScorecard offers a marketplace where service vendors and buyers can find each other, and the skills necessary to remediate findings can be acquired,” he said.