CS Nov-Dec 2023
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
cyber awareness<br />
Don Boxley, DH2i: today's cyber threats<br />
are escalating into full-blown crises -<br />
we must urgently overhaul our digital<br />
defences.<br />
Simon Church, Xalient: invest heavily in<br />
training to enable employees to make<br />
smarter security decisions.<br />
understand the process and who is doing<br />
what. "And I'm not just talking about<br />
technology here, but people and processes.<br />
For example, what communications about<br />
the attack will they share with employees,<br />
customers and other stakeholders? What do<br />
they want employees to do? What do they<br />
want senior executives and the board to do?<br />
All too often I see organisations assume<br />
that, because they have the technology<br />
in place, it will magically and seamlessly<br />
recover their systems, but they neglect the<br />
fine detail around communications and<br />
reassurance."<br />
He also identifies human risk as a major<br />
factor. "In fact (depending on the sources you<br />
refer to) 75-90% of all cyber incidents are<br />
human initiated. So, it is very important to<br />
focus on having employee security awareness<br />
training in play. Today, employees operate in<br />
a blended environment, moving seamlessly<br />
between work applications and personal<br />
apps. Whereas previously they have been<br />
prevented from sharing company data<br />
outside the network perimeter, in our world<br />
of social media we often overshare, which<br />
leads to a lot of freely available open-source<br />
data, or OSINT.<br />
"Cybercriminals use OSINT for social<br />
engineering purposes. They gather personal<br />
information through social profiles and use<br />
this to customise phishing attacks. The most<br />
recent MGM breach, for example, was a<br />
result of a social engineering attack on an<br />
employee who inadvertently gave hackers<br />
access to MGM's systems. Investing heavily<br />
in training to enable employees to make<br />
smarter security decisions will help them<br />
manage the ongoing problem of social<br />
engineering and clever phishing attacks.<br />
Performance should also be regularly<br />
measured to see how employees are<br />
implementing training in the real world<br />
and there must be KPIs around this that are<br />
ideally discussed at senior management or<br />
board level. It is likely that the MGM attack<br />
could have been averted, if the employee<br />
had been more aware and better trained."<br />
Also, as many breaches utilise a vulnerability<br />
or flaw in operating systems' code,<br />
the patching cadence and criticality need to<br />
be agreed and assessed on a regular basis,<br />
so that the organisation prioritises patches<br />
based on risk to the business, Church adds.<br />
"To put this into context, last year there were<br />
approximately 20,000 new patches created<br />
by software vendors; this year, that figure is<br />
expected to increase to 22,000. This means<br />
that the largest organisations have a<br />
backlog of over 100,000 patches to deploy,<br />
which is an almost impossible task without<br />
clear risk prioritisation."<br />
Managing their third parties and any<br />
extended ecosystem cyber risk is equally<br />
critical for CEOs. "It is very difficult from<br />
an outside view to determine which<br />
third party has strong cyber controls and<br />
which ones are already, or likely to be,<br />
compromised. Standard risk assessment<br />
processes tend to be 'point in time',<br />
involving questionnaires and audits. For<br />
cybersecurity, this is a flawed approach that<br />
usually leads to risk tolerance or acceptance.<br />
Rather than just categorising third parties as<br />
high or low risk, organisations should focus<br />
on the nature of the relationship and their<br />
adherence to the same security policies<br />
and practices implemented by the organisation.<br />
Do they control sensitive data or<br />
have they got access to critical systems?"<br />
Cybercrime is predicted to be worth<br />
a massive $10.5 trillion dollars by the end<br />
of the year, Church points out. "If it were<br />
a country, it would equate to the thirdlargest<br />
country in the world, in terms of<br />
GDP, so it is clearly big business. Having<br />
robust security controls, a solid risk management<br />
plan and dynamic risk policies, as<br />
well as a tried and tested recovery plan,<br />
won't totally remove the threat of a cyberattack,<br />
but it will certainly reduce not only<br />
the probability of a breach, but also the<br />
impact to the business."<br />
24<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk