As 2022 gathers pace, Sophia Anastasi, global channel sales director at Skurio, the digital risk protection company, speaks with IT Europa editor Carl Friedmann about how the threat landscape is evolving and what tools can help organisations to remain vigilant against attacks.
Can you begin by giving some background on Skurio and its unique place in the market?
Skurio is SaaS-based; we have a platform that allows you to highly automate searching the surface, deep and dark web for meaningful and specific information to an organisation. So, where you have, for example, a traditional threat intelligence tool that will go out and look for generic indicators of compromise and threats that may potentially affect your organisation, we turn that on its head and have a more targeted approach to threat intelligence. We use domains, individuals of interest or sensitive information as sources of search to provide alerts if data appears somewhere where it shouldn't. We shine a security spotlight on your data, so when something lands where it shouldn't, we can let you know straight away.
So is it all in real-time?
Yes, it's near real-time. As soon as it lands outside the network somewhere that it shouldn't be, then we'll be able to pick that up. I think what cyber resilience means is that you're not waiting for a breach to happen; you're not waiting to become a victim. What you're doing is looking beyond the network, beyond conventional cybersecurity. You're proactively looking for threats to your business to detect data breaches a lot sooner and minimise the impact of those breaches on your business. The most common challenge that we help with is leaked corporate credentials. Many breaches come down to human error, accidentally using corporate credentials somewhere they shouldn't be used. The feedback we get is that the horse has already bolted, which is the case in every breach that happens. So it's a case of understanding that a breach has occurred as quickly as possible and minimising the impact. These little things make a big difference, and organisations tend not to think proactively about them. They wait and believe because they haven't had a breach yet, they're doing something right. That's not the way to look at cybersecurity. You should be looking at it as you've been lucky so far, but luck is going to run out at some point.
So it's more of a prevention approach.
Yeah, almost. I think IDC said 90% of organisations globally have already been breached or will get breached at some point. And it takes on average around 300 days to detect that a breach has happened. I always liken that to a bank: you walk in, there are no security guards, all the cameras are switched off, and the vaults are wide open. So, effectively, that's what happens when a hacker gets into your network. So let's detect it as quickly as possible and minimise any further attacks that may occur, understand why it's happened, why that business is being targeted, and see how to prevent it from happening again.
With cyber resilience, are there some parallels or crossover with zero trust?
Not so much. It'll probably make up an element of a cyber resilience strategy, so it's around encompassing various types of security technologies or security strategies to make you as secure as possible. So there will be an element of zero trust in someone's cyber resilience strategy. For us, cyber resilience is all around proactively understanding what threats there are and understanding things like zero trust will help to a certain degree. But it's not the be-all, end-all, just like a firewall is not going to prevent everything from going in and out of your network. It's just about stacking your cybersecurity in a meaningful way to make you as resilient to cyberattacks as possible. We proactively monitor for threats in an automated way. Every organisation has the right to a secure IT infrastructure, and sometimes, that’s very difficult for organisations due to a lack of budget, resources and expertise constraints. We can also help with remediation services where customers can't do it themselves. We do that directly using the platform and using MSSP partnerships that we're building within the channel.
Automation is a big thing, of course, but there's also the concern of the broadening skills gap. In addition, human error is always the foundation of breaches and hacks, so how are you striking the right balance between hands-on and automation?
We're working hard to make sure that we find that balance for MSPs to make it easy for them to use our platform within their SOC infrastructure and generate a good amount of recurring revenue from the services they sell to end-users.
Organisations that say they haven't been hacked might be in the process of being hacked already—during those 300 days you mentioned. So a significant consideration is minimising the time of awareness, right?
Maersk is an excellent example in that their NotPetya breach in June was very severe for their brand and the $300 million in losses, but also because of the length of downtime they had. That happened because a small supplier in their supply chain was breached. We try to educate the market that protecting your perimeter is no longer enough. We can help you to watermark your data in someone else's network, we call this a Breach Marker, and it provides you with an element of control if, for example, you lose a device or you're using a cloud-sharing bucket. As soon as your data is breached, you’ll be alerted to that. Then you can quickly find out how sensitive the data is that you are sending to this supplier. You balance the frequency of sharing it in relation to the risk for the business, and then you can build a strategy around that. We're looking at data as the centre of everything we do because data is a golden asset to a company. You should protect it wherever it sits, not just within the network perimeter.
From Skurio's perspective, do you approach each customer uniquely?
Absolutely. The highly automated part of our solution allows people to do that and see the more granular analytics and filters to find those needles in haystacks. But for us, we're building a channel, so we focus on finding partners that can service these different customers in the way they want to be serviced. We have resellers who can support the end-users to select the platform package that is right for them. Our MSPs also supply short-term risk exposure reports or long-term monitoring solutions to address every customer requirement. So, it's essential to build a robust channel ecosystem globally. You buy the platform, and you use it however you need to. Revenue creation is easy because there's more automation, plus it allows you to add your services based on the end-user requirement. But in terms of the way we package our solution compared to others, you're free to go out and sell it however you want with no limitations. That's a unique selling point for us: you're not restrained by capacity. You can effectively buy the platform and go to market, and we'll leave you to it, provided you request support as and when you need it. The revenue they can add on, and that kind of stickiness to their contracts, is a considerable benefit for channel partners.
And you still build on these relationships, even though they take the ball and run with it. So there are always ongoing conversations?
All the time. We have a dedicated channel manager that supports them, and we have a great onboarding process from a commercial standpoint. If they're new to this technology area, we give them an idea of how they can go to market. We help them to understand where the market is going and how they can incorporate what we do into their existing service or solution stacks. We have a brilliant technical onboarding service as well, so our analysts and pre-sales team help them go through a rundown of how the platform works and how best to use it. Then, of course, we also have a customer success and marketing team, who make sure partners have everything they need. They are in contact with at least three or four people at every stage, helping them grow their customer base, pipeline, revenues, and provide platform support. And because we're so agile, we take all the feedback we get from our partners on board to make our platform the best it can be.
The feedback loop is critical. Looking ahead, what are Skurio's priorities to combat cybersecurity risks and malware, especially regarding what you were saying about supply-chain breaches and third-party risks. How do you interpret the threat landscape, and how is it evolving?
Hackers are becoming more innovative more quickly. They're also automating their processes. You'll never be able to get ahead of these guys because they're constantly evolving. We're trying to make people aware of the risks because most believe they won't be hacked. Smaller organisations think they won't be targeted, but they're part of supply chains; they're just as much at risk as the Fortune 1000 companies. There's less than 1% of digital risk protection market penetration globally now, and cybercrime is up by around 600% due to Covid.
Is that due to hybrid working and endpoint challenges?
Because they don't have an IT person over their shoulder, people working from home pick up bad practices, such as adding microservices to infrastructure and putting more data in the cloud. It's a fact that if digital transformation wasn't on the cards for an organisation pre-March 2020, then it was post-pandemic; whether they were ready for it or not, they had to find the resources, budget and expertise to do it. That's accelerated the growth of cyberattacks, and I think it's only going to grow. Education is vital, so it's key to have a proactive data monitoring solution in your service stack or within your infrastructure to keep an eye on it and detect breaches as early as possible. That's the message we're trying to get out to the market. And if people understand that data should be protected wherever it sits, whether it's in the network or within your supply chain, then that's half the battle.
Considering the alternative to not having a robust security system in place, why do you think there's a reluctance to be educated on how things are evolving and becoming more proactive? Do people see it just as an added cost that they're willing to risk not spending?
A lot of it comes down to budget. Suppose you look at the larger organisations out there. Many already have dark-web monitoring or brand reputation monitoring in their infrastructure because they understand the severity of being breached and losing customer data. If SMBs and SMEs are breached, they're more likely not to have considered this type of technology yet because they probably don't know it exists for them. Market leaders within this technology area have been generally exclusive to larger organisations with big analyst teams, budgets, and infrastructure, so it's never really made available to the smaller companies. I think it's a lack of knowledge that other players in the market can help smaller organisations have a more robust security infrastructure. And cybersecurity is coming up the pecking order as to where the budget is spent.
And lastly, what are your plans and priorities as 2022 finds its footing?
Because DRP is a new technology area, chances are you probably don't have someone in your IT team who can manage this and understand the results it provides. But that's precisely the reason why we recommend MSPs to help you because they are specialists. That's why we're growing our channel ecosystem by bringing on MSPs who can provide managed services to customers who don't have that resource internally. And we're trying to make it as simple as possible for them by finding different avenues to go to market. For example, we're very complementary to existing technologies for network security, so protect data where you can, but monitor for it where you can't. 2022 is also about hyper-growth for us. We're seeing steady growth in bringing onboard new channel partners in the UK and beyond; we now have more of an established market in the Middle East, for instance. The following markets are Europe and Asia, which we're working on now. But many markets are afraid to have conversations since, historically, any kind of proactive monitoring is clunky, expensive and needs a lot of resources.
