Over the past two decades, the world has transitioned to a digitally dependent business landscape. Almost every business, regardless of size and industry, has an online presence to communicate effectively with customers and serve customers on a larger scale. However, this transition to a digital age brought its own problems. As companies continue to use digital solutions to store sensitive corporate, financial and customer data, cybersecurity breaches have skyrocketed.
In 2006, the average cost of a data breach to US companies was $3.54 million. In 2014 it had grown to $5.85 million and by 2022 it had grown to $9.44 million. These cybersecurity breaches and hacks have spread across a wide range of businesses and industries. In 2019, about 76% of U.S. businesses experienced a hack, with added reporting indicating that about 60% of small businesses fail within six months of a cyberattack. As a result, many companies are looking for proactive measures to monitor their network activities to secure their financial security and future.
Anthony Oren, CEO of Nero Consulting, a technology consulting and managed services company, believes that one of the biggest reasons for the increase in cyberattacks is the move to a remote working model.
“Every 11 seconds, a company experiences a ransomware attack. This is due to the ability of cybercrime, unlike other forms of crime, to design systems and protocols that automate their operation and ensure that attacks occur 24 hours a day,” says Oren.
“The advent of remote working, while convenient for employees, is a major problem for corporate networks as it has significantly increased the risk of data breaches and downtime for businesses everywhere. Remote work is not going away, so being proactive is needed to combat this growing threat.”
I had the opportunity to interview Anthony Oren to delve deeper into the cybersecurity challenges facing remote work. Oren shares his company’s relevance to cybersecurity, pointing out how solutions often teeter on the delicate balance between quantifying cost versus exposure and risk.
Rod Berger: The concept of remote working has been around for a long time, but it really took off when the pandemic hit. Businesses were forced to work remotely to comply with lockdown protocols and keep their workforce safe without business coming to a standstill. How does this working model affect how companies address their cybersecurity needs?
Anthony Ears: Before remote working became widespread, most people commuted to work and used computers and other devices that were present in their office. Post-pandemic, many are now working from home and likely accessing sensitive company data with their personal laptops and phones, while also using their home network or public Wi-Fi. This scenario creates a lot of problems for companies because unmonitored, sanctioned devices and tools are not under the company’s corporate network. In addition, it increases the endpoints that hackers can get through and increases the chances of an attack succeeding.
There’s also the fact that employees may not be as knowledgeable about best practices to protect against a breach outside the office. It could be something as simple as letting someone look over their shoulder at their computers in public areas, not using a reliable VPN to access office networks, not using multi-factor authentication programs, or letting friends and family use their devices. This reality puts tremendous pressure on security teams and makes their jobs much more difficult.
recovery: I assume there are measures companies can take to mitigate the risks of remote working to their security. People have become accustomed to working remotely, so it is unlikely that companies will easily demand a return to office environments.
Ears: Yes. Businesses will need to cast a wider net so that their endpoint security solution covers all devices used by their staff when they are away from the office. It’s also a good idea to restrict access from unrecognized devices. Security solutions must have a robust endpoint detection and response (EDR) capability because most employees are not technically inclined to handle sophisticated attacks on their own. These systems are exactly what we have put in place for our customers.
recovery: I imagine any project to build or expand a company’s security framework is expensive.
Ears: It can earn you a pretty penny. That’s why I first audit my customers’ networks to determine the necessary security measures.
recovery: You mean there are times when it makes no sense to improve a company’s network security?
Ears: The wisdom I want to share with others is that the cost of a solution should always be proportional to the risk you are trying to mitigate. In other words, the cost of your solution must be justifiable. So I encourage my clients to ask themselves: Is their company willing to spend $100,000 on a solution where the total exposure is about $10,000? After all, other solutions may not look ideal or cover only part of the risk, but the costs may be significantly lower.
The lesson is that when trying to justify the cost of a solution, it’s difficult to quantify the actual or estimated cost of your risk exposure. This is difficult because not every aspect that contributes to your risk exposure has a fixed or known amount, and much depends on the type of data, regulations, legislation and precedents.
recovery: Summarizing the complexities and nuances, cybersecurity solutions often depend on the cost of exposure. Let’s move on to your business. What challenges have your customers faced that show why companies need to strengthen their network security?
Ears: I remember a client we had not too long ago. It was a premier company and we helped them save over $1 million by disrupting a hacker’s wire fraud actions about 30 minutes before the money was sent to a foreign bank. We also fully recovered a company’s network after a successful ransomware attack managed by another information technology (IT) provider. Month after month, we help our customers avoid cyber-attacks while improving our cybersecurity stance and expanding our arsenal of defenses to keep our customers safe.
recovery: Do you think there is a permanent solution to cybersecurity problems facing businesses? Is it foolish gold to believe that there is something that could discourage the whole idea of cyber-attacks?
Ears: The only way I can think of to permanently discourage cyberattacks is to remove the incentive. At Nero, we have begun expanding our partnerships with technical, legal and business experts in collaboration with local and global law enforcement, security companies, researchers, NGOs and customers to better fight cybercrime. To bankrupt the business of cybercrime, the good guys have to cut profits and make the cost to hack much higher to remove the profit motive.
I also strongly believe in creating regulations that require companies to deploy effective cybersecurity solutions. By regulating how secure software should be with recommended hardware, cyber attacks can be countered.
It seems we are approaching this era. Companies like Microsoft are already strengthening their legal and business departments to meet the coming wave of technical regulation across industries and around the world. More regulation will lead to tighter controls and security, hopefully putting the bad guys out of business.
Cyberattacks have a way of infiltrating all aspects of society. Whether it’s stealing money directly from companies or capturing critical personal data from health institutions and education portals across the district, the effects are real and devastating. As a result, Nero and other cyber-focused consultancies focus on finding personalized solutions that move with the ever-changing IT landscape.
As Oren sees it, cyber threats are not going away. But with new regulations on the horizon, he looks forward to implementing software and hardware advancements that could push many more nefarious businesses out of business.
Interviews have been edited and shortened for clarity.