There’s a simple but powerful dynamic driving cyber risk for most healthcare sector CISOs today. The more they invest in digital infrastructure and tooling to drive sustainable growth, the more they might expose themselves to attack. According to experts, digital transformation during the pandemic pushed many organisations over a technology “tipping point” from which they will never return. The healthcare sector is certainly no different. In short, the future of healthcare is digital—from hybrid working to cloud-powered, patient-facing innovation. That creates a challenge for the sector’s CISOs.
This challenge is often articulated in terms of the digital attack surface—that is, the collection of applications, websites, cloud infrastructure, on-premises servers, operational technology (OT) and other elements which are often exposed to remote threat actors. The risks associated with attack can be mitigated if healthcare organisations (HCOs) have visibility into all of these assets, calculate their risk exposure accurately and then take steps to secure the attack surface. Yet many struggle to do so.
How malicious actors target the attack surface
As the latest Trend Micro annual cybersecurity report for 2021 highlights, threat actors deploy a range of tactics, techniques and procedures (TTPs) to target various elements of victim organisations’ corporate attack surface. These included:
- Email inboxes
- IoT endpoints
- Mobile applications
- Remote desktop protocol (RDP) endpoints
- Virtual private networks (VPNs)
- PCs
- Websites
- Servers
- Certificates
- Public cloud services
- Supply chain infrastructure and services
They do so via phishing, vulnerability exploits, compromise of misconfigured services and other techniques—to deploy ransomware, banking Trojans, info-stealers, botnets, and much more. And they were astonishingly persistent last year. Trend Micro alone blocked over 94 billion such threats for customers in 2021. Many other organisations were doubtless not so lucky.
HCOs are concerned
With stats like these, it’s perhaps not surprising that 70% of IT and business leaders we polled from the sector are concerned with the size of their digital attack surface. Over a quarter (27%) say they’re “very concerned”. Yet there’s more. Some 43% go even further, arguing that the attack surface is spiralling out of control.
Image | Threat Graphics – 4-Year View
There’s a sense that major investments in IT modernisation over the past few years have created a momentum that is increasingly difficult to manage. When asked to describe their attack surface, over two-fifths (42%) of HCOs claimed that it is “constantly evolving and messy”. This hints at the challenge their security teams have: an attack surface that is expanding faster than their ability to control it. In fact, only two-fifths (44%) of respondents claim to have completely defined their attack surface. Gaining visibility of this kind is surely the first step towards effectively mitigating risk.
The visibility challenge
Unfortunately, two-thirds (62%) of the IT and business leaders we spoke to admit they have blind spots in trying to secure their attack surface. On average, healthcare respondents have only an estimated 59% visibility into their total attack surface—among the lowest of any sector. Yet even this is only a best guess. The likelihood is that it is even lower.
Cloud assets are considered to be the area where organisations have the least insight (38%), followed by network (31%) and end user assets (31%). In the cloud, change is the only constant. VMs, containers and other assets appear and disappear with mind-boggling frequency. Business users may bypass IT altogether when setting up new digital initiatives. And continuous innovation from platform providers means the whole edifice is built on constantly shifting sands.
Organisations operating across borders are also impacted. Some 60% of HCOs claimed that the fact they are global makes managing the attack surface more challenging. Yet a fifth (18%) are still mapping their environments manually, and a similar number (22%) are doing it regionally, which runs the risk of creating information silos.
Let’s run down some of those key reasons why attack surface visibility is so challenging today:
- Organisations don’t have the right tools to gain visibility into all their assets
- CISOs and their teams have too many tools, creating information silos
- Opaque supply chains
- An environment in constant flux: especially in the cloud where assets are dynamic and ephemeral
- The sheer size, complexity and distributed nature of modern IT environments
- Constant technology innovation, especially from cloud vendors
- Business units investing in new products and services without telling IT (shadow IT)
- An explosion in remote working endpoints and shadow IT during the pandemic
Many of these challenges were borne out by responses to our question: “Why is it so difficult to understand and manage cyber risk?” The largest number of respondents said risk was hard to quantify (37%). A further 32% said they had too few resources, and 31% complained of limited visibility. A fifth (18%) spoke of data silos, highlighting the visibility gaps that siloed tooling often creates. The best way to tackle this challenge is investing in a unified platform-based security approach.
The problem with managing risk
The end goal of gaining visibility and control of the digital attack surface is ultimately to better understand and manage cyber risk. Yet over half (53%) of HCOs we spoke to admit their method of assessing risk exposure isn’t sophisticated enough. Just 38% claim to have a completely well-defined process for this.
Part of this is likely down to a lack of investment in the right tools. Yet strategy and process also matter. Two-thirds (40%) of respondents admit to only reviewing or updating risk exposure every month or less. Given the pace of technology innovation, the rate of digital investment and the velocity at which the threat landscape is evolving, regular assessments are critical to full visibility and improved control over the attack surface. Just a fifth (19%) of HCOs do this on a daily basis.
Building a more risk-aware organisation
So how can healthcare CISOs build a more risk-aware organisation?
It comes down to three important steps:
- Gain visibility into all assets and attack vectors
- Use that data to continuously calculate risk exposure
- Invest in the right controls to mitigate that risk
The benefit of a platform-based approach here should be clear. If the platform is extensive enough to cover the entire attack surface—from email and endpoints to networks and the cloud—it will help to eliminate data silos and provide comprehensive visibility into assets. That same platform could be configured to deliver continuous protection of those asset via prevention, detection and response tools and techniques, to minimise security gaps and improve decision making.
A platform-based approach will not only reduce expenditure on renewing and managing point products, it also saves stretched IT teams time and effort—freeing them to work on high value proactive security tasks rather than swivel-chair fire-fighting.
By Bharat Mistry, Technical Director at Trend Micro
