Cybersecurity efforts have expanded with burgeoning remote workforces across the globe.
In the past two decades, the world has transitioned to a digitally dependent business landscape. Almost every business, regardless of size and industry, has an online presence to effectively communicate with and serve clients and customers on a wider scale. However, this transition to a digital era came with its own set of problems. As businesses continue to leverage digital solutions to store sensitive business, financial, and customer data, cybersecurity breaches have grown in leaps and bounds.
In 2006, the average cost of a data breach to U.S. businesses was $3.54 million dollars. In 2014, it had risen to $5.85 million, and by 2022, it had grown to $9.44 million. These cybersecurity breaches and hacks have spread across a wide variety of businesses and industries. In 2019, about 76% of American businesses experienced a hack, with added reporting indicating about 60% of small businesses fail within six months of a cyberattack. As a result, many companies are searching for proactive measures to monitor their network activities to help secure their financial security and future.
Anthony Oren, CEO of Nero Consulting, a technology consulting and managed services company, believes one of the biggest reasons for the increase in cyberattacks is the move to a remote work model.
“Every 11 seconds, a business experiences a ransomware attack. This is because of the ability of cybercrime, unlike other crimes, to design systems and protocols that automate their operation and keep attacks happening around the clock,” says Oren.
“The advent of remote work, while convenient for employees, is a big issue for corporate networks as it has significantly increased the risk of data breaches and downtimes for companies all over. Remote work isn’t going away, so proactivity is needed to fight this growing danger.”
I had the opportunity to interview Anthony Oren to dive more deeply into the cybersecurity challenges facing remote work. Oren shares his company’s relevance in cybersecurity while pinpointing how solutions often teeter on the delicate balance of quantifying cost vs. exposure and risk.
Rod Berger: The concept of remote work has been around for a long time, but it really went full-scale when the pandemic hit. Companies were forced to adopt remote work to comply with lockdown protocols and keep their staff safe without business grinding to a halt. How has this work model impacted how businesses handle their cybersecurity needs?
Anthony Oren: Before remote work became widespread, most people commuted to work and used computers and other devices provided in their offices. Post-pandemic, many now work from home and likely access sensitive company data with their personal laptops and phones while also using their home networks or public Wi-Fi. This scenario creates a lot of problems for companies because unvetted, sanctioned devices and tools are not under the company’s corporate network. In addition, it widens the endpoints that hackers can come through and raises the probability of an attack being successful.
There’s also the fact that employees may not be as knowledgeable about best practices to protect against a breach away from the office. It could be something as simple as letting someone look over their shoulder at their computers in public spaces, not using a reliable VPN to access office networks, not utilizing multi-factor authentication programs, or letting friends and family use their devices. This reality puts enormous pressure on security teams and makes their work much more difficult.
Berger: I’m assuming there are measures companies can take to mitigate the risks that remote work poses for their security. People have become accustomed to working remotely, so it’s not likely that companies can easily require a return to in-office environments.
Oren: Yes. Companies will have to cast a wider net so their endpoint security solution covers all devices used by their staff when they’re away from the office. Restricting access from unrecognized devices is also a good idea. Security solutions should have a robust endpoint detection and response (EDR) capability because most employees are not tech-inclined to deal with sophisticated attacks independently. These systems are precisely what we put in place for our clients.
Berger: I imagine that any project to build or expand a business’s security framework is expensive.
Oren: It can run you up a pretty penny. That’s why I audit my clients’ networks first to determine the necessary security measures.
Berger: You mean there are times when it doesn’t make sense to beef up a business’s network security?
Oren: The wisdom I would share with others is that the cost of a solution should always be proportional to the risk you are trying to mitigate. In other words, the cost of your solution should be justifiable. So I encourage my clients to ask themselves, is their business willing to spend $100,000 on a solution where the total exposure is about $10,000? After all, other solutions could look less than ideal or cover only part of the risk, but the cost could be considerably lower.
The lesson is when trying to justify the cost of a solution, the hard part is to quantify the actual or estimated cost of your risk exposure. This is hard to do as not every aspect that contributes to your risk exposure has a fixed or known amount, and much of it depends on the type of data, regulations, legislation, and precedents.
Berger: Summing up the complexities and nuances, cybersecurity solutions often depend on the cost of exposure. Let’s shift over to your company. What challenges have your clients faced that show why businesses should amplify their network security?
Anthony Oren’s Nero Consulting understands the choppy seas of cybersecurity and is educating others … [+]
Oren: I remember one client we had not too long ago. It was a prominent company and we helped save them over $1 million by disrupting a hacker’s wire fraud actions about 30 minutes before the money was sent to a foreign bank. We’ve also completely restored a company’s network after a successful ransomware attack occurred when they were managed by another information technology (IT) vendor. Month after month, we help our clients prevent cyberattacks while increasing our cybersecurity posture and adding to our arsenal of defensive tools to keep our customers safe.
Berger: Do you think there’s a permanent solution to cybersecurity issues that businesses face? Is it fool gold to believe that there is something that might discourage the whole idea of cyberattacks?
Oren: The only way I can think of to dissuade cyberattacks permanently is to take away the incentive. At Nero, we’ve started to expand our partnerships with technical, legal, and business experts in unison with local and global law enforcement, security firms, researchers, NGOs, and customers better impact fighting cybercrime. To make the business of cybercrime go out of business, the good guys need to drive the profits lower and the costs to hack much higher to remove the profitability motive.
I also believe strongly in establishing regulations that demand businesses to deploy effective cybersecurity solutions. Regulating how secure software should be with recommended hardware will serve to drive down cyberattacks.
It appears we’re closing in on this era. Companies like Microsoft are already beefing up their legal and corporate affairs department to cater to the coming wave of tech regulation across industries and the globe. More regulation will lead to more stringent controls and security, hopefully taking the bad guys out of business.
Cyberattacks have a way of infiltrating all aspects of society. Whether it’s stealing money directly from companies or capturing critical personal data from health institutions and district-wide educational portals, the effects are real and devastating. As a result, Nero and other cyber-focused consulting companies are focusing on finding personalized solutions that move with the ever-changing landscape of IT.
As Oren sees it, cyber threats are not going away. But with new regulations on the horizon, he looks forward to implementing software and hardware advances that could result in placing many more nefarious operations out of business.
Interviews have been edited and condensed for clarity.