Jamie Smith, S-RM: “people remain some of the most vulnerable attack vectors”

The volume of cyberattacks is only increasing, especially toward companies. This signals the need for better preparation for businesses to deal with such issues.

The occurrence of data breaches, distributed denial-of-service (DDoS), ransomware, and other types of attacks are a common risk for businesses of every size. They can have major financial or reputational consequences that are difficult to deal with.

While some companies still follow the “it won’t happen to us” mentality, those aware of the risks that come with cyberthreats are looking for ways to secure themselves, including investing in cyber security consultations.

Jamie Smith, the Board Director and Head of Cyber at S-RM – a company that specializes in global intelligence and cybersecurity, agreed to share his thoughts on effective protection measures and cybersecurity trends.

How did S-RM originate? What would you consider your biggest milestones throughout the years?

S-RM was founded in 2005, growing from a one-room office in Mayfair, London, with just two people sharing a dining table. Today it is a global cybersecurity and corporate intelligence consultancy, with almost 300 staff members, based across seven offices (no dining tables as desks!). We have expanded our client portfolio to include a significant number of large corporations, including FTSE 100 firms, S&P firms, and global law firms. We deal with a vast array of issues for our clients, but our central purpose is to help our clients to navigate an increasingly complex risk landscape.

In 2015, we launched our cybersecurity practice, which was a natural expansion to apply our intelligence expertise to the realm of cyberthreats. We now live in a digital world, and almost all risk indices will include some element of cyber or digital. Cybersecurity is now the fastest growing area of our business. Last year, we also launched our ESG practice in response to client demand and the rise of ‘hacktivism’, where ESG concerns are a primary motivation.

Can you tell us a little bit about what you do? What services do you provide to ensure security?

Our cybersecurity business focuses on three key offerings – incident response, cyber advisory, and ethical hacking. We support a client end-to-end with their cyber resilience journey. Our incident response teams are there to support a business in its moment of crisis when a cyber incident occurs. Their role is to minimize the damage and help the business restore normal operations. After this, there is often a need for companies to re-evaluate their cyber preparedness and this is where our cyber advisory services come in. This team is focused on helping businesses to reduce their risk and improve their cyber resilience, reducing the chance of an attack being successful in the future. Ethical hacking or penetration testing is then a good way to assess how much the organization’s cybersecurity has been strengthened.

More than a technical-focused process, this also includes working with the C-suite or management team to instill a strong cyberculture. While there is a growing awareness of cybersecurity issues among business leaders, too often it is still seen as a cost center and this leads to a reactive approach focused on paying the cyber bill when an attack happens, rather than guarding against the chance of a breach. By offering full support for clients along their journey to improve cyber resilience, we are able to demonstrate how a strong cyber posture can be a value creator; when done well, it can save an organization the time, money, and reputational damage of a breach. With the cyber insurance market hardening, we also see a lot of clients starting to see a proactive cyber strategy as a guard against rising cyber insurance premiums.

You often stress the importance of threat intelligence. Why is it so crucial?

The cyberthreat landscape is constantly evolving, with new threat actors and technologies emerging. But intelligence can help organizations to stay on top of cyberthreats. Some easy first steps include making sure that the business regularly checks what cyber risks are most common in their industry – this can be through risk bulletins, free alert services, and signing up to receive materials from organizations like the National Cyber Security Center (NCSC) in the UK or its equivalent. A next step could be engaging a professional cybersecurity consultancy to help you understand the risk profile of your business specifically.

How do you think the recent global events affected the way people perceive cybersecurity?

At the time of speaking to Cybernews, sadly the conflict in Ukraine is the recent global event throwing a spotlight on cybersecurity today. Russian cyberthreat actors have always been in the headlines and it is understandable that many people from individuals to businesses will be concerned about the cybersecurity conflict running in parallel with the physical war. What we have seen in the first few weeks of the conflict is an ‘eye of the storm’ effect, with no major uptick in cyberattacks on Western businesses. It is likely that Russian cyber resources have been focused on targets in Ukraine – destroying data, disseminating disinformation, and perpetrating DDoS attacks to shut down websites. But now, it is likely that Russian threat actors may set their sights on Western businesses in retaliation for global trade and economic sanctions. This is something that businesses, therefore, must be prepared for.

Why might some organizations not be aware of the security risks they are exposed to?

In our recent survey of 600 C-Suite and IT budget holders from across the US and UK, only 40 percent of respondents thought their organization would be ‘completely successful’ at detecting a cyber incident. The same respondents thought their organizations could be more successful with better employee appreciation of cybersecurity risks, and a greater understanding of breach response policies. These two points are reflected in the growing C-suite interest in cultivating a security-positive culture, which is key to having the kind of proactive and value-creating cyber strategy which I described earlier.

Although the world of work is increasingly digitized, most cyberattacks are aimed at employees and people remain some of the most vulnerable attack vectors. This makes it crucial that every single employee is educated and empowered to detect and respond to cybersecurity vulnerabilities.

Out of all cyberthreats floating around nowadays, which ones do you think have the potential to cause the most damage?

Any cyberthreat has the potential to do massive amounts of damage. But that damage can be limited if your organization has built up its cyber resilience and practiced its incident response. Three innovations in 2021 to highlight that we shared in a recent podcast are:

  • Double encryption – where a single ransomware group encrypts their victim’s data twice, sometimes with two separate strains or simply using two separate encryption keys. This causes the victim to pay a ransom twice to recover their data.
  • Additional pressure tactics – this includes cold calling directors or senior executives, sometimes even phoning the front desk or clients and journalists to let them know the victim organization has had a data breach. Threat actors may also threaten distributed denial-of-service (DDoS) attacks against their victims if a ransom isn’t paid. This would be a threat over and above the initial ransomware attack.
  • Third-party access brokers – instead of compromising a network in order to launch an attack, threat actors are looking to purchase access to an already compromised network. This could either be purchased from a specialist hacker or alternatively, from insiders at a target organization.

What would be the first steps for companies looking to improve their cyber resilience?

Firstly, look at your information security function. Ensure it has defined objectives – which information assets and systems are you trying to protect and why? Next, build out your cybersecurity policy, and within that describe what your ‘ideal state’ is, as outlined in your objectives. Then, work on supplementary procedures which detail how you will reach and maintain that ideal state. Finally, and perhaps most importantly, engage your employees in the policies and procedures put in place so they understand their role. It goes without saying that this is a process of continual learning, as a cyber strategy needs to be constantly put into practice and lived every day throughout the organization to be truly effective.

Talking about individual users, what security solutions do you think should be implemented on personal devices?

The pandemic saw a sharp increase in working from home, so it was natural to see an uptick in the number of personal devices being used for work purposes. Working at home and on poorly secured networks and devices increases the attack surface for threat actors. Employers have a responsibility to keep their strategy on ‘bring your own device’ (or BYOD) up to date to protect themselves and the individuals they employ from attack. That can be things like using two-factor authentication (2FA), or passphrases that change regularly. These ‘security hygiene basics’ are simple, but effective. While the human vector remains the top target of cybercriminals, good cyber habits being practiced throughout an organization is crucial. So again, having a positive cyber culture that makes sure these tools are being used consistently is also key.

Would you like to share what’s next for S-RM?

In March we opened our new office in Utrecht, which will allow us to anchor our European operations and grow our presence in the Benelux market. It also allows us to tap into the strong cyber talent pool in the Netherlands, which will help us grow our cyber team further in 2022.

Last year we published our first thought leadership report, Investing in Cyber Resilience: Spend, Strategy, and the Search for Value (s-rminform.com) and we’re looking forward to releasing another report later this year.