Frank Green, Commissum: “we expect the use of automation and neural networks to be applied to malware”
With the rapid technological advancement, migration to the cloud and remote working models, and overall businesses’ decentralization, new cyberthreats also emerge and advance – and battling them becomes more and more difficult.
While regular malware detection and mitigation software are usually enough for individuals, well-established businesses and newer startups can visit Cybernews to look into more rounded cybersecurity solutions. Unnoticed vulnerabilities can lead to serious security breaches if found and exploited by cybercriminals. And word on the street is that these cybercriminals are getting more and more advanced with their attacks.
To talk about new challenges arising in the field of cyberdefense, Cybernews reached out to Frank Green, Director at Commissum, a risk management and compliance service provider. We discussed the process of data recovery after attacks, how the pandemic changed the cybersecurity landscape and what can be done to prepare for emerging cyberthreats.
Tell us about your journey throughout the years. How did the idea of Commissum originate?
Commissum was conceived in 2002 as a spin-out penetration testing business from a Scottish management consultancy. Our founder, Martin Finch, started with zero trading clients with the belief that cybersecurity would be the industry that dominated the 21st century. Commissum went on to become one of the founding members of CREST – Martin’s bet turned out to be a good one.
We remained as an owner-managed microbusiness until 2013 when the current Chief Operating Officer, Boglarka Ronto, and myself, were recruited as part of a build and sell strategy. After five successful years of growth and diversification into other areas of cybersecurity, Commissum was acquired in a trade sale by Eurofins Scientific, a €20 billion global powerhouse in the testing, inspection, and certification space. We sit within the UK region of Eurofins’ Digital Testing division, itself a market leader in the software, broadcast devices, and content testing areas.
The story of our growth is, like many businesses who have scaled, one of incredibly hard work, grit, ups and downs!
Can you introduce us to what you do? What are the main challenges you help navigate?
We are a holistic cybersecurity services provider, covering a breadth of services from technical assurance, with specialisms in advisory and audit, penetration testing and red teaming, digital forensics and incident response, as well as having a managed services offering that covers the detect, defend, and respond functions. Ultimately, in this data-driven world, we want to empower our clients to fully understand cyber and proactively protect the value of their digital assets.
We tend to add the most value to organizations that are looking for a strategic partner as they undertake major change. This could be scaling very quickly, cloud and digital transformations, entering new markets (or M&A activity), or recovering from cyber incidents and rethinking their approach to cyber. However, at a strategic level, we help organizations to accelerate cyber capability, protect them from resourcing shocks and wage inflation, and fundamentally de-risk this aspect of their business so they can focus on their core mission.
What does the recovery after a data breach usually look like?
For many clients, this can feel painful and chaotic. Our job is to bring a level head and defined processes that allow us to manage the situation effectively for them and let them do what they are best at – running their business and serving their customers.
From an operational perspective, before any recovery takes place, we will bring our team of Senior Incident Managers and Digital Forensics Specialists to isolate, contain and eradicate any threats, for example, malware. Once this has been done, we can begin the recovery process.
We have recently completed the fit-out of a state-of-the-art, ISO17025-accredited digital forensics laboratory at our new facility in Birmingham where we are able to conduct advanced forensic data recovery, right through to supporting our clients with rebuilding infrastructure. We also deal with post-incident activity, working with our clients’ stakeholders including their customers, law enforcement, regulators, suppliers, investors, and insurers. This activity requires highly specialized skills and you can ask anybody who’s been through this process, you’d rather have a team of experts dealing with it on your behalf.
Quite often, we will be retained to support the client in redefining their cyber strategy and posture to come back stronger than ever.
Have you noticed any new threats emerge during the Covid-19 pandemic?
We actually noticed very few new threats emerge. What changed the threat landscape dramatically was the explosion of organizations’ attack surfaces through remote working and threat actors’ tactics, techniques, and procedures, which were modified to exploit this. Where many organizations were unprepared for whole-scale remote working and were forced into allowing BYOD with cobbled together secure remote access, we noticed a real jump in security incidents.
One of the concerning cyber trends we saw during the pandemic was the rapid increase in smishing and vishing attacks (SMS & voice phishing respectively) against individuals, which also included the vulnerable and elderly. Using everything from impersonating tax authorities to the NHS vaccine roll-out, criminals have no limits to how low they will stoop. We urge every business and individual to verify every contact with institutions they have.
Ultimately, threats are constantly evolving and, of course, blue teams must stay one step ahead of attackers to keep our clients safe. Theoretically, providing that organizations take proactive steps towards defending themselves by implementing a multi-layered, intelligence-driven approach that covers all aspects of cyber, emerging new threats should be dealt with in a controlled manner.
Why do you think certain companies might not be aware of the security risks they are exposed to?
I would challenge this assertion and say that, in our experience, someone, somewhere, in almost every organization (of any scale) is aware of the cyber risks their organization is exposed to. The challenge is empowering that person, or group of people, to have the right platform and share that awareness upwards to senior management and the board, as well as sideways and down to their peers and the widest level of users across the organization. They must also be given the training to communicate using the right language and message so that the audience is able to process the information and act on it accordingly.
For example, when communicating with the board, you may be expected to provide accurate current and future exposure metrics so that they can benchmark and direct effort and investment into the right areas. Where the exposure message is to users, colleagues, or other employees, this should be combined with education and awareness to help the organization to reduce its overall risk to external threats. The risks should also be communicated to supply chain partners and customers where appropriate.
In the rare instances that we see a genuine lack of awareness of security risks across the whole organization, it has been with fast-scaling businesses that have not made the time to mature their cyber posture in line with their growth, or perhaps have significant knowledge gaps in their personnel. When we have encountered these situations previously, we have acted quickly to support rapid maturity and implementation of controls. A lack of awareness of cyber risk at any level, but especially at the strategic decision-making level, can lead to security incidents.
Besides quality risk management systems, what other security measures do you think should be adopted by every modern company?
Security measures must always tread the tightrope between allowing the organization and its users to operate as fast as it can, without perceived blockers, whilst protecting the organization and its data in line with risk appetite.
Technical security controls can seem like silver bullets from vendor marketing material, however, companies are still lacking potentially low-cost controls that would reduce risk well, namely implementing:
- Multi-factor authentication everywhere
- An effective vulnerability management and patching program
- Internal network segmentation and granular access controls
We are also seeing widespread uptake of managed detection & response services, providing visibility of threats across internal networks and this capability is now a ‘must have’ and is accessible where this may have been previously deemed a ‘nice-to-have’ or have never made the budget.
What dangers can customers be exposed to if a company they trust struggles to ensure information security?
Protecting against supply chain attacks is a key priority for any business. With these types of attacks rapidly increasing in 2021, investment in this area of cybersecurity will increase accordingly.
For organizations looking for insight and guidance, they should consider who their customer is.
For consumers, dealing with a B2C company, that trust is implicit. For example, when was the last time you asked your utility provider, local authority, or any other company you deal with in your personal life, for their ISO27001 Statement of Applicability or last pentest report? Therefore, B2C companies have the highest levels of regulation but, as we have seen time and time again, fall victim to well-publicized cyber-attacks. That loss of trust can be devastating for everything from share price to the bottom line. They need to recognize that consumers are vulnerable entities and must take the most precautions to protect them and themselves from the risk of attacks and potential regulatory enforcement for failures.
As a B2B company, you should expect your customers to impose high levels of security governance, risk management, and compliance, perhaps even more so than their own. As global supply chains become highly integrated, they are increasingly vulnerable to even small shocks. A cyberthreat can propagate at lightning speed from your suppliers, through you, to your customers with cascading effects causing exponential damage. The best way to protect supply chain ecosystems is by adopting minimum standards and being transparent with their risks. We are increasingly seeing contracts that have cyber requirements that would not have done so even two years ago.
In your opinion, what kind of attacks are we going to see more of in the upcoming years? What can average internet users do to protect themselves?
At the APT level, we are seeing hostile nation-states using cyberattacks against their enemies in asymmetric warfare. These attacks are being conducted against everything from financial markets’ infrastructure, to utilities, and other aspects of critical national and communications infrastructure, as we have seen recently in the news.
We also expect the use of automation and neural networks to be applied to malware as the evolutionary arms race continues between attackers and defenders.
For the average internet user, if you are using a laptop or other device, the advice continues to be to ensure that anti-malware software is deployed and kept up to date, along with other software. Be aware of fraud and other online scams – don’t open email attachments that you’re not expecting, never click links in suspicious emails, and always check the sender’s address to ensure it’s from who it claims to be. When making purchases online, take advantage of credit cards or PayPal, and always use multi-factor authentication where possible. Remember, if something sounds too good to be true then it most likely is!
Remember, attackers will try to reach you through any available channels, including by phone, text, WhatsApp, and other messaging services.
Tell us, what’s next for Commissum?
We continue to grow organically within our core market geography of the UK. However, our focus will be on the next generation of services around secure software development and total assurance. Our integration within the wider Eurofins Digital Testing organization will bring holistic managed services across the entire software development lifecycle to enterprise clients. As we grow, we are committing significant resources to innovation and R&D. These services are beginning to go live with beta users and we are incredibly excited to deliver our unique offerings to the market.
Whilst we don’t want to be the largest organization, we are focused on becoming the first-choice assurance partner when enterprises look to the market.