Raconteur

cybersecurity-2019

Issue link: https://raconteur.uberflip.com/i/1084979

Contents of this Issue

Navigation

Page 3 of 11

C Y B E R S E C U R I T Y 4 Five reasons why staff engagement needs to be part of your cyberdefence Togetherness Empowerment Motivation Now more than ever, thanks to the introduction of cloud solutions, cyber- security simply has to be a compa- ny-wide commitment, from top to bot- tom. "Some 92 per cent of cybersecurity teams surveyed in The Oracle and K PMG Cloud Threat Report 2019 said they were concerned that individuals, whole departments or lines of business were in violation of their security poli- cies for the use of cloud applications," says John Abel, vice president of cloud and innovation at Oracle. "In almost half of those cases, the unauthorised apps being used resulted in improper access to data and the introduction of malware that can quickly spread across an organisation. "The increasing number of con- nected devices and the grow th in mobile working has led to an exponen- tial increase in opportunities for cyber- criminals, making it even more impor- tant for employees to be engaged and prepared to spot threats. "Our research also revealed almost one in four companies that had been the subject of a cyberattack in the past two years said 'increasing employee awareness and training' led to the big- gest improvement in the security of the organisation, showing just how power- ful employee engagement programmes can be." If an organisation's cybersecurity is only as good as its weakest link, it is cru- cial to empower all employees and give them a reason to be diligent. "Encour- aging employees to question requests, double check on records and be just a little paranoid are all critical in improv- ing overall cybersecurity posture," says Aaron Zander, head of IT at HackerOne. "Companies that blame employees for poor passwords or bad behaviour with email aren't spending enough time, money or energy driving home security. Preventing phishing attacks can be closely tied to corporate culture." In the same way an organisation with a clear and inspiring vision is more likely to attract and retain talent, by educat- ing the workforce about cybersecurity using a fun and engaging approach can reap big rewards. "Studies show that the stick doesn't work," says PA Con- sulting's Mr Vile. Optimising employee engagement has many benefi ts, not least bolstering cybersecurity and reducing the likelihood of insider threats E M P L O Y E E E N G A G E M E N T A N D I N S I D E R T H R E A T S Oliver Pickup Behaviours need to change, says Mr Zander, who asks: "Is it normal for an executive to demand some- thing like a bank transfer to a vendor, or a large purchase from a random site with no questions asked either because of fear or sternness? Welcome to phishing heaven. It's up to IT and security teams to enable, empower and educate employees as part of strengthening the weakest links." Audra Simons, head of For- cepoint Innovation Labs, adds: "Engaged employees tend to be more conscientious, compliant and ulti- mately become a positive force within the organisations." "One innovative solution is to go beyond mere cyber-awareness train- ing and develop more 'gamified' approaches, boosting the engagement of employees and leaders through excit- ing role plays and scenarios involv- ing 'games' with cyberattacks and attackers," says Thomas Calvard, lecturer in human resource manage- ment at the University of Edinburgh Business School. Adenike Cosgrove, cybersecurity strategist at Proofpoint, took this approach with Roya l Bank of Scot- land (RBS) staff. " Through an ongoing programme of ethica l phishing simulations based on actua l fraudulent messages from the wild, RBS determined their employees' susceptibility to rea l-world attacks," she says. "Users falling victim to these fake phishing messages on multiple occa- sions received comprehensive training, which led to a significant 78 per cent reduction in the likelihood of users clicking on nefarious campaigns." Happiness It's impossible to quibble with the logic that a happy worker is a pro- ductive worker. A happy, committed worker is also unlikely to turn rogue when it comes to cybersecurity. "A main reason for companies to invest in employee wellbeing and engagement is that discontented staff pose a clear security risk, especially when resign- ing or leaving the organisation," says Louis Smith, insider threat specialist at Fidelis Cybersecurity. "Individuals who feel wronged by the company might feel they have something to gain from sabotaging intellectual property or conducting IP theft." Jake Moore, cybersecurity expert at ESET, agrees. "Employees are your best asset, yet they are also the weakest link. They are able to spot signs that not even artificial intelligence can see, such as a begrudged staff member, and pick up on such signs," he says. Most employees demand f lexible working and PA Consulting's Mr Vile says organisations must ensure this policy, to boost happiness, is secure. "With many employees now routinely working from home, or working out of multiple offices, it extends the digi- tal boundaries of an organisation far beyond its traditional office space," he points out. "Whenever digital bounda- ries are expanded in this way, it makes it harder for security to stretch and cover everybody." 1 2 Education While almost three quarters of cyberat- tacks are perpetrated by people outside an organisation, more than a quarter involve insiders, according to Verizon's 2018 Data Breach Investigations Report. Furthermore, human error is the root cause of close to one in five breaches. Education of the workforce, therefore, is critical. "The vast majority of data breaches can be traced back to an original phish- ing email, or series of emails, whereby employees are used as targets to obtain data," says Luke Vile, cyberse- curity expert at PA Consulting. "This first contact is often a 'stepping stone' cyber-approach. "Engaging employees on cybersecu- rity ensures they are more a ler t during these early-stage phishing attempts, and when a ler t they are more likely to repor t contact and stop a breach before it happens." Moreover, Matthew Buskell, assis- tant vice president at Skillsoft, believes organisations cannot rely on the IT or security departments. "A recent (ISC) 2 -commissioned survey identified a glaring skills gap on the horizon," he says, "projecting that the overall cybersecurity skills shortage is set to rise to 350,000 workers in Europe by 2022." 4 5 C Y B E R S E C U R I T Y 6 he advent of cloud and the move towards digital transformation have effectively broken traditional cybersecurity perimeters and made focus- ing defence efforts on keeping attackers out an unsuitable approach. Firms that don't have a plan of action for when attackers breach the cyber-front line leave their net- work acutely vulnerable to attacks on busi- ness-critical data and applications. According to a recent study of more than 600 security professionals by research firm Ponemon Institute, only 36 per cent of respondents believe they are able to detect and investigate attackers before serious damage occurs inside the network. Closing down cyberattack pathways Commercial feature T Once hackers have gained a foothold, they move laterally through the network on the search for high-value assets and increase their level of access in the process. Yet many busi- nesses are still not fully prepared to combat this type of attack, despite the large amounts of money being invested in security technologies. "Ensuring that attackers, once they've breached the perimeter, can't move inside the network is critical," explains Ofer Israeli, founder and chief executive of Illusive Networks, the leader in lateral movement detection and prevention. "During normal use of the network, a company's employees leave behind data – credentials and unintended connections between computers – that attackers use to move laterally. From a preventative stand- point, this material can be removed to limit the attacker's options." Deception technology can be a highly efficient method of detecting attackers who rely on lateral movement techniques. As opposed to traditional cybersecurity approaches, deploying deception-based solutions brings the burden and battle to the intruder by forcing them to determine what is real and what is fake. At the first wrong move, they are detected. In today's interconnected business environment, guarding against cybersecurity threats is increasingly complex, with enterprises susceptible to months-long business interruption and millions in real costs. But new tech offers hope... Instead of creating models that look for tools and methods hackers have used in the past, deception creates a hostile environ- ment, confusing the attacker and detecting the behaviour underlying lateral movement. This enables reliable detection, regardless of how the attackers' tactics change over time. Deception solutions can, therefore, give dynamic organisations greater confidence in their ability to minimise cyber-risk, allowing executives to focus on their core business objectives. "Businesses can't stop growing and innovating just because they're afraid of secu- rity failures. Having the ability to expose and stop lateral movement gives leaders freedom to run their business without having to contin- uously consider cybersecurity," says Mr Israeli. Companies that don't have visibility inside their networks and lack the capacity to limit severely the ability of attackers to move lat- erally will find themselves at high risk when their perimeter is breached. Only 28 per cent of security profession- als surveyed by Ponemon have the ability to detect accurately credentials that are improperly stored on systems. "Lateral movement is a blind spot for many enterprises, but our Attack Surface Manager (ASM) solution provides visibility, automat- ically identifies hidden risks and removes keys that allow attackers to obtain essential assets," says Mr Israeli. The approach of Illusive Networks differs to that of other cybersecurity companies in its automation, simplicity and high-fidelity alerts. This solution doesn't require contin- uous monitoring or management, but gives customers the confidence that when an attack happens, they are protected. Illusive's Pathway functionality shows defenders what options attackers can take to reach prized business-critical assets and helps security personnel remove excess or unauthorised paths without harming essen- tial business connectivity. By giving security teams the tools to handle the full life cycle of these challenges, Illusive Networks can assist firms in becoming better equipped to deal with cyberthreats. "We pre-empt, detect and respond to any lateral movement that occurs inside the network. This gives peace of mind to businesses know- ing their most important data and systems are protected in a way that is simple, cost effective and scalable," Mr Israeli concludes. For more information, or to schedule a free Attack Risk Assessment, please visit go.illusivenetworks.com/times Ensuring that attackers, once they've breached the perimeter, can't move inside the network is critical

Articles in this issue

Links on this page

Archives of this issue

view archives of Raconteur - cybersecurity-2019