The following is an interview by the team at Cybernews. The original posting is available at Cybernews.

Stel Valavanis, onShore Security:
“everyone is a target for a cybercriminal”

Recent global events negatively affected the cyber landscape, urging companies to search for the best ways to shield themselves from various cyberthreats.

Many enterprises, especially small businesses, still believe that they won’t be affected by cyber attackers. After all, cybersecurity requires investment, making it easier to rather stay unprotected and save money. However, if a cyberattack hits – huge financial losses are one of the main consequences.

Implementing cybersecurity solutions, such as managed security services, is never a mistake and should rather be prioritized.

To better comprehend the importance of cybersecurity, its solutions, and potential threats for businesses, we invited Stel Valavanis, the CEO and Founder of onShore Security – a company that offers managed security services.

What was the journey like since your launch in 1991? How did the idea of onShore come to life? 

Since launching in 1991, and even before onShore existed as a proper company, I’ve been involved in almost every part of Internet service. At one point in the company’s history, we started an ISP business practically overnight to serve clients that would otherwise have experienced a loss in their Internet service. The biggest part of our journey has been our complete shift to security, which began in 2015 and has been what drives us ever since. It was becoming clear that it was the most important thing not only for our clients but for the well-being and freedom of the Internet at large.

Can you tell us a little bit about what you do? What industries do you mainly work with?

Our main service is called Panoptic Cyberdefense. Panoptic means “all-seeing” and that is what we strive to do. Our service monitors your entire network and we ingest data from as many of your systems as we can to develop a full-picture view of your network operations. This data is analyzed and correlated by our expert analysts and then used to further refine your security, detect any anomalies or bad actors, and discover vulnerabilities before they can be exploited. 

One of the industries that we’ve specialized in working with, and these clients were a big part of why we’re focused on security, is banking. It’s perhaps not surprising that they would have high-security standards as they retain valuable data and are considered a profitable target, but they are also subject to regulations that often act as a bellwether for future regulations in other industries.

Similarly, charged with retaining valuable data, providing uninterrupted service, and complying with regulation and oversight, our other main industries are healthcare organizations, educational institutions, and construction firms.

You state that it takes more than just technology to protect your network. Would you like to share more about your approach?

One of the founding principles at onShore Security has been the importance of the human element in technology. The human cannot be automated out of the loop if security is to be up to the highest standards. Augmenting the continuously evolving automation and machine learning, the core of our company are our security analysts who use their experience, intuition, and creativity to correlate data from a network and see things that a computer cannot. This work by our analysts is often the difference between failure and success for bad actors.

How do you think the pandemic influenced the cybersecurity industry? Were there any new features added to your services as a result?

The pandemic sent many offices home and without much warning. Many companies likely had some remote work policies and supporting security measures in place, but not at the scale that the pandemic made remote work vital to business continuity. Short-term, crisis mitigating measures were put in place that are no longer sufficient, and will not be in the long-term future either. Our company shifted to remote-first at the outset of the pandemic, putting into place proper security to allow our company to be fully operational, with the safety of working out of our office. As we developed these systems, we’ve found that working remotely and setting policy to assume remote work as the standard has actually strengthened our security and increased adherence to security policy. 

As the networks that our clients work on pivot towards being distributed for remote work, our services continue to adapt. Things like multi-factor authentication and better VPN access were immediately in greater demand, but we’re finally seeing a significant shift towards a more advanced EDR offering, as well as more advanced vulnerability management offerings, and in general, something closer to a zero-trust approach over time. We’re finally seeing more organizations get serious about their security policies.

We love this because we’ve been arguing about this approach for a long time. It gives us far greater visibility into clients’ networks and at the same time, raises security posture.

Why do you think certain organizations push cybersecurity to the background, despite the growing rates of cybercrime?

Some organizations still believe that they are not the kind of organization that would be considered a target for cybercrime, but unfortunately, this is wishful thinking. Our experience shows that everyone is a target and bad actors expend so little effort in attacks that they don’t have to be choosy about targets.

Many companies see cybersecurity as a large investment and instead opt to remain in danger and hope for the best, though industry regulation is inspiring most companies to at least comply with basic security regulation.

I believe that many larger companies falsely assume that they are protected from harm because they have cybersecurity insurance policies. While cybersecurity insurance is certainly a helpful thing to have in case of a cyberattack, it does not begin to cover the cost of the disruption and impact of a cyberattack, nor will it fix the underlying problem of weak cybersecurity posture. There are growing implications outside of the organization that will not be addressed by insurance coverage, such as impact to clients, vendors, trade secrets, and other things that are susceptible.

Even though it may seem that large organizations aren’t being put out of business by cyberattacks, the damages are way more wide-reaching than is commonly understood. Of course, having proper protection in the first place is a good way to avoid much of this threat and to be ready for what new threats emerge.

We expect insurance companies to enforce much stricter requirements on their clients’ cybersecurity posture in the future and this will likely change the way things are done.

In your opinion, what are the worst cybersecurity habits that can do serious damage to one’s company?

At every level of the company, one of the biggest vulnerabilities to your cybersecurity is your employees. Employees often have bad habits when it comes to cyber hygiene, things like opening suspicious emails, ignoring password policy, and other little things that are the responsibility of all employees. These little things can be the cause of a large, damaging cyberattack. Management and remediation of bad security hygiene is a very quick, easy, and cost-effective process that your organization can undertake that will make a difference immediately. Having proper security policies in place, training for all employees, and a way to detect compliance reduces this threat to your office.

The other bad habit is when people assume that the Cloud is inherently secure or safer. Ever hear the saying that “the cloud is just someone else’s computer”? Well, it’s true and your lack of visibility into the security of your cloud provider may actually make you less secure. This assumption of security seems to extend to many vendors, and it’s a reason we’re always trying to highlight vendor risk management as a vital security tool.

As remote work becomes the new normal, what are some of the best practices organizations should follow to ensure secure operations?

Security is a process, not a product. The process should be dictated by, and to a good extent encoded in, policy. Developing and tuning your policies and procedures will give you the biggest bang for your buck.

One policy practice is to implement multi-factor authentication wherever you can on your network. This will ensure that your employees will only have access to the parts of your network they need and when they need it. Tools, such as authenticator apps and hardware keys, add this layer of security. Another important policy for remote workers is to maintain the same good security hygiene that they would at the office. A good data management policy for the office should be followed strictly at home as well. Clean desk, clean screen policies should still be in place and internal communication should be restricted to secure channels. Out-of-band communications should be deterred whenever and wherever possible.

In your opinion, what kind of threats can we expect to see more of in the next few years? What actions can individuals take to protect themselves?

Especially considering current events in the news, there is reason to believe that attacks deriving from foreign state-funded sources will continue and may grow in scope. It’s worth remembering that some of this visible growth was unintentional and actually caused the downfall of several hacking entities. I believe that world events, such as war, climate change, and future global pandemics, will be a big source of threat to nation-states, so expect increased espionage and even something like a cyber cold war which one could argue we’re already in.

Cybercrime will continue to grow and sophistication will increase. As the gap between proper defense and most companies’ security posture slowly closes, hackers still have a wide berth of vulnerability in which to attack. Expect attacks to increasingly occur in the form of carefully considered disruptions, such that backup practices are no longer adequate for recovery. Expect the criminal financial ecosystem to become more resilient to law enforcement investigations. Expect new forms of monetizing cyberattacks, such as blackmailing for disruption or attacking weaker parts of the supply chain.

Regulations will continue to grow and compliance will be a much larger part of your organization’s workload.

The role of cybersecurity insurance is going to change. We’ve already seen the cost of insurance policies grow by multiples. Insurance companies will become stricter about qualifications for insurance policies in the first place and for claims.

And finally, what’s next for onShore?

We continue to develop our product to meet the security demands of our clients and the business world. Our Panoptic Cyberdefense platform evolves as our clients’ networks change and we have bolstered our other offerings, such as our newly re-engineered Continuous Vulnerability Management service.

New regulations will mean new priorities for our clients, and we are planning and preparing to lead their organizations through the increasingly dense web of compliance.

We are also constantly considering new best practices and providing thought leadership in the security space. For example, we’ve been part of a growing call for zero-trust practices in cybersecurity, which is especially relevant in this new normal.